Creating a signed certificate and key allows for a fast path method
for creating a signed certificate that resides in the same key database
file or z/OS® PKCS #11 token
as the displayed signing Certificate Authority certificate. From the Key
Management Menu or Token Management Menu, select 1 -
Manage keys and certificates to display the Key and Certificate
List or Token Key and Certificate List respectively. Find
the label of the signing Certificate Authority certificate and enter
the number associated with the label. From the Key and Certificate
Menu or Token Key and Certificate Menu choose
option 10 to create a signed certificate and key.
Note: This requires the displayed certificate to have signing capability.
The
Certificate Usage menu appears, followed by menus to
select the certificate key algorithm and key size (or ECC key type
and EC named curve if ECC is selected as the certificate key algorithm.
See
Creating a signed ECC certificate and key.) Once these details are determined,
you will be prompted to enter:
- a label to uniquely identify the key and certificate within the
key database or z/OS PKCS #11
token
- the individual fields within the subject name
- certificate expiration. The valid range for a self-signed certificate
is 1 to 9999 days. The default is 365 days.
Figure 1. Enter Certificate Details Certificate Usage
1 – CA certificate
2 – User or server certificate
Select certificate usage (press ENTER to return to menu): 2 <enter>
Certificate Key Algorithm
1 - Certificate with an RSA key
2 - Certificate with a DSA key
3 - Certificate with an ECC key
4 - Certificate with a Diffie-Hellman key
Select certificate key algorithm (press ENTER to return to menu): 1 <enter>
RSA Key Size
1 – 1024-bit key
2 – 2048-bit key
3 – 4096-bit key
Select RSA key size (press ENTER to return to menu): 1 <enter>
Enter label (press ENTER to return to menu): signedcert <enter>
Enter subject name for certificate
Common name (required): My signed Certificate <enter>
Organizational unit (optional): ID <enter>
Organization (required): IBM <enter>
City/Locality (optional): Endicott <enter>
State/Province (optional): NY <enter>
Country/Region (2 characters - required): US <enter>
Enter number of days certificate will be valid (default 365): 300 <enter>
Enter 1 to specify subject alternate names or 0 to continue: 1
Please wait .....
Press option
0 to continue or option
1 to specify
the subject alternate names. If option
1 is selected, the
Subject
Alternate Name Type menu appears.
Figure 2. Subject
Alternate Name Type Subject Alternate Name Type
1 - Directory name (DN)
2 - Domain name (DNS)
3 - E-mail address (SMTP)
4 - Network address (IP)
5 - Uniform resource identifier (URI)
Select subject alternate name type (press ENTER if name is complete): 1 <enter>
Enter subject name for certificate
Common name (required): Test server <enter>
Organizational unit (optional): ID <enter>
Organization (required): IBM <enter>
City/Locality (optional): Endicott <enter>
State/Province (optional): NY <enter>
Country/Region (2 characters - required): US <enter>
Subject Alternate Name Type
1 - Directory name (DN)
2 - Domain name (DNS)
3 - E-mail address (SMTP)
4 - Network address (IP)
5 - Uniform resource identifier (URI)
Select subject alternate name type (press ENTER if name is complete): <enter>
Please wait .....
When specifying subject alternate names, you are prompted for the
type of the alternate name. After the alternate name type is determined,
you will be prompted to enter:
- the individual fields within the subject name.
After the individual fields are completed, enter option 0 to
continue or option 1 to specify another subject alternate name
(repeat the process).