Using the end-user Web pages

This topic describes how the end user can use the PKI Services Web pages.

Note:

The PKI Services Web pages in this topic might differ slightly from those on the Web. If your installation customized the templates, the Web pages in this topic might differ greatly from those you view on the Web. Additionally, the pages might contain differences depending on the browser you are using. (This topic assumes you are using Internet Explorer.) If you need to see the exact content, view the pages on the Web.
If you are using Internet Explorer on a Microsoft Windows system, you might need to set up the Windows system and Internet Explorer to work with PKI Services. For information about how to do this, see Using the PKI Services Web application with Internet Explorer on Windows systems.

By default, the end user can perform the following tasks:

Install a CA certificate into the browser.
Request a new certificate.
Pick up a previously requested certificate.
Renew or revoke a previously issued browser certificate.
Recover a certificate and private key, if PKI Services generated the keys for the certificate.
Install the PKI Services ActiveX program needed to install a renewed certificate using the Internet Explorer browser.

Table 1 lists the types of certificates you can request:

Table 1. Types of certificates you can request
Type of certificate	Use
One-year PKI SSL browser certificate	End-user client authentication using SSL
One-year PKI S/MIME browser certificate	Browser-based e-mail encryption
One-year PKI generated key certificate	Generation of public and private keys by PKI Services
Two-year PKI browser certificate for authenticating to z/OS	End-user client authorization using SSL when logging onto z/OS
Two-year PKI Authenticode - code signing server certificate	Software signing
Two-year PKI Windows logon certificate	End-user client authentication for an Active Directory user logging in to a Windows desktop using a smart card
Five-year PKI SSL server certificate	SSL Web server certification
Five-year PKI IPSEC server (firewall) certificate	Firewall server identification and key exchange
Five-year PKI intermediate CA server certificate	Subordinate (non-self-signed) certificate-authority certification
Five-year SCEP certificate	Creation of a preregistration record for certificate requestors. (Certificate requestors using Simple Certificate Enrollment Protocol (SCEP) must be preregistered.) Unlike other templates, this template is intended for administration use only.
n-year PKI browser certificate for extensions demonstration	Demonstration of all extensions supported by PKI Services
One-year SAF browser certificate	End-user client authentication where the security product (RACF®, not PKI Services) is the certificate provider Note: The certificate generated by this template cannot be managed by the PKI Services administrator.
One-year SAF server certificate	Web server SSL certification where the security product (RACF, not PKI Services) is the certificate provider Note: The certificate generated by this template cannot be managed by the PKI Services administrator.

Special consideration for using SAF templates:

The templates that control processing of the SAF certificates listed in Table 1 perform only a subset of the function available natively in RACF through the RACDCERT TSO command or the ISPF panels. They are provided to enable a Web interface for requesting certificates from RACF for browsers and off-platform servers. They are not intended to be a complete replacement for RACF certificate function.

Restriction: If you wish to generate a certificate for a server running on the local z/OS® system (in other words, for a system using the RACF database where the signing certificate resides), do not use the "One-year SAF server certificate" template. Instead, use the RACDCERT TSO command or ISPF panels directly. Using the "One-year SAF server certificate" template might cause the loss of the private key if the authenticating user ID is not the same as the user ID specified when generating the certificate request in RACF.