z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for signing the PKI Services ActiveX programs

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to sign the ActiveX programs that PKI Services provides and make them available to PKI Services users.

Before you begin

  • You need to have a tool such as Microsoft Visual Studio that builds an installer program.
  • You need a code signing certificate with an Extended Key Usage of Code Signing and its private key. If you don't have one, you can request one from PKI Services using the 2-year Authenticode template. Follow the instructions for requesting a server certificate in Steps for requesting a new certificate. Then export the certificate and its private key to a PKCS #12 file and download it to the Windows platform. In step 2.a, Microsoft Sign Tool will use the certificate to sign PKIXEnroll.dll and PKICEnroll.dll.

Procedure

  1. Create directories on the PKI Services server for the .exe and .msi programs that you will build in step 2.a. Create one directory for Windows XP and earlier versions of Windows, and one for Windows Vista and later versions of Windows.

    _______________________________________________________

  2. Sign each of the ActiveX programs. Perform the following steps twice, once for PKIXEnroll.dll and once for PKICEnroll.dll.
    1. Use Microsoft Sign Tool (signtool.exe) to sign the ActiveX program (PKIXEnroll.dll or PKICEnroll.dll) with the code signing certificate. You can download Microsoft Sign Tool at http://msdn.microsoft.com/en-us/library/aa387764(VS.85).aspx.
    2. Build the installer programs. You'll need to use a tool such as Microsoft Visual Studio. For Windows XP and below, use PKIXEnrollDeploy for the project name, and the outputs for the installer program are:
      • setup.exe
      • PKIXEnrollDeploy.msi
      For Windows Vista and above, use PKICEnrollDeploy as the project name, and the outputs for the installer program are:
      • setup.exe
      • PKICEnrollDeploy.msi
      For detailed instructions, see Steps for building the installer programs using Microsoft Visual Studio.
    3. Use Microsoft Sign Tool and the code signing certificate that you used in step 2.a to sign the installer programs.

    _______________________________________________________

  3. Upload the signed installer programs to the directories you created on the PKI Services server in step 1.
    Note: Be sure you upload the programs in binary, so that the files are not altered during the transfer.

    _______________________________________________________

  4. Update the HTTP configuration files.
    1. Update httpd.conf. Change the following statements to specify the directories you created in step 1. 
      Pass /PKIServ/PKIXEnroll/*   /usr/lpp/pkiserv/ActiveX/PKIXEnroll/*
Pass /PKIServ/PKICEnroll/*   /usr/lpp/pkiserv/ActiveX/PKICEnroll/*
    2. Update httpd2.conf. Change the following statements to specify the directories you created in step 1. 
      Pass /PKIServ/PKIXEnroll/*   /usr/lpp/pkiserv/ActiveX/PKIXEnroll/*
Pass /PKIServ/PKICEnroll/*   /usr/lpp/pkiserv/ActiveX/PKICEnroll/*

    _______________________________________________________

Results

When you are done, you have signed the ActiveX programs provided by PKI Services, and made them available to PKI Services users

Parent topic: Signing the PKI Services ActiveX programs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014