ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahu4anactingownca.htm

161 lines
12 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Create and operate a Local CA" />
<meta name="abstract" content="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications." />
<meta name="description" content="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications." />
<meta name="DC.Relation" scheme="URI" content="rzahudcmfirsttime.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu404selectingusercatasks.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuissuepublicusercerts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu461installcacert.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4afinternetvsprivcert.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4apcaanotherdcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu404selectingusercatasks.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuissuepublicusercerts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu461installcacert.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu4an-acting_own_ca" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create and operate a Local CA</title>
</head>
<body id="rzahu4an-acting_own_ca"><a name="rzahu4an-acting_own_ca"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create and operate a Local CA</h1>
<div><p>This information explains how to create and operate
a Local Certificate Authority (CA) to issue private certificates for your
applications.</p>
<div class="section"> <p>After careful review of your security needs and policies, you
have decided to operate a Local Certificate Authority (CA) to issue private
certificates for your applications. You can use Digital Certificate Manager
(DCM) to create and operate your own Local CA. DCM provides you with a guided
task path that takes you through the process of creating a CA and using it
to issue certificates to your applications. The guided task path ensures that
you have everything you need to begin using digital certificates to configure
applications to use SSL and to sign objects and verify object signatures. </p>
<div class="note"><span class="notetitle">Note:</span> To
use certificates with the <span class="keyword">IBM<sup>®</sup> HTTP Server for i5/OS™</span> ,
you must create and configure your Web server before working with DCM. When
you configure a Web server to use SSL, an application ID is generated for
the server. You must make a note of this application ID so that you can use
DCM to specify which certificate this application will use for SSL. <p>Do
not end and restart the server until you use DCM to assign a certificate to
the server. If you end and restart the *ADMIN instance of the Web server before
assigning a certificate to it, the server will not start and you will not
be able to use DCM to assign a certificate to the server. </p>
</div>
<p>To
use DCM to create and operate a Local CA, follow these steps: </p>
</div>
<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>.</span></li>
<li class="stepexpand"><span>In the navigation frame of DCM, select Create a Certificate Authority
(CA) to display a series of forms. These forms guide you through the process
of creating a Local CA and completing other tasks needed to begin using digital
certificates for SSL, object signing, and signature verification. </span> <div class="note"><span class="notetitle">Note:</span> If
you have questions about how to complete a specific form in this guided task,
select the question mark (?) button at the top of the page to access the online
help.</div>
</li>
<li class="stepexpand"><span>Complete all the forms for this guided task. In using these forms
to perform all the tasks that you need to set up a working Local Certificate
Authority (CA), you: </span><ol type="a"><li class="substepexpand"><span>Choose how to store the private key for the Local CA certificate.
(This step is provided only if you have an IBM Cryptographic Coprocessor installed
on your system. If your system does not have a cryptographic coprocessor,
DCM automatically stores the certificate and its private key in the Local
Certificate Authority (CA) certificate store.)</span></li>
<li class="substepexpand"><span>Provide identifying information for the Local CA. </span></li>
<li class="substepexpand"><span>Install the Local CA certificate on your PC or in your browser
so that your software can recognize the Local CA and validate certificates
that the CA issues.</span></li>
<li class="substepexpand"><span>Choose the policy data for your Local CA.</span></li>
<li class="substepexpand"><span>Use the new Local CA to issue a server or client certificate
that your applications can use for SSL connections. (If your system has an IBM Cryptographic
Coprocessor installed, this step allows you to select how to store the private
key for the server or client certificate. If your system does not have a coprocessor,
DCM automatically places the certificate and its private key in the *SYSTEM
certificate store. DCM creates the *SYSTEM certificate store as part of this
subtask.) </span></li>
<li class="substepexpand"><span>Select the applications that can use the server or client certificate
for SSL connections.</span> <div class="note"><span class="notetitle">Note:</span> If you used DCM previously to create
the *SYSTEM certificate store to manage certificates for SSL from a public
Internet CA, you do not perform this or the previous step.</div>
</li>
<li class="substepexpand"><span>Use the new Local CA to issue an object signing certificate
that applications can use to digitally sign objects. This subtask creates
the *OBJECTSIGNING certificate store; this is the certificate store that you
use to manage object signing certificates.</span></li>
<li class="substepexpand"><span>Select the applications that can use the object signing certificate
to place digital signatures on objects.</span> <div class="note"><span class="notetitle">Note:</span> If you used DCM previously
to create the *OBJECTSIGNING certificate store to manage object signing certificates
from a public Internet CA, you do not perform this or the previous step.</div>
</li>
<li class="substepexpand"><span>Select the applications that will trust your Local CA.</span></li>
</ol>
</li>
</ol>
<div class="section"> <p>When you finish the guided task, you have everything that you
need to begin <a href="../rzain/rzainoverview.htm">configuring
your applications to use SSL</a> for secure communications. </p>
<p>After
you configure your applications, users that access the applications through
an SSL connection must use DCM to obtain a copy of the Local CA certificate.
Each user must have a copy of the certificate so that the user's client software
can use it to authenticate the identity of the server as part of the SSL negotiation
process. Users can use DCM either to copy the Local CA certificate to a file
or to download the certificate into their browser. How the users store the
Local CA certificate depends on the client software that they use to establish
an SSL connection to an application .</p>
<p>Also, you can use this Local CA
to issue certificates to applications on other <span class="keyword">iSeries™</span> systems
in your network. </p>
<p>To learn more about using DCM to manage user certificates
and how users can obtain a copy of the Local CA certificate to authenticate
certificates the Local CA issues, review these topics: </p>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzahurzahu404selectingusercatasks.htm">Manage user certificates</a></strong><br />
You can use Digital Certificate Manager (DCM) to obtain certificates
with SSL or associate existing certificates with their <span class="keyword">iSeries</span> user
profiles.</li>
<li class="ulchildlink"><strong><a href="rzahuissuepublicusercerts.htm">Use APIs to programmatically issue certificates to non-iSeries users</a></strong><br />
Use this information to learn how you can use your Local CA to
issue private certificates to users without associating the certificate
with an <span class="keyword">iSeries</span> user profile.</li>
<li class="ulchildlink"><strong><a href="rzahurzahu461installcacert.htm">Obtain a copy of the private CA certificate</a></strong><br />
Review this information to learn how to obtain a copy of the private CA certificate and install it on your PC so that you can authenticate any server certificates that the CA issues.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahudcmfirsttime.htm" title="Use this information to learn how to get started managing certificates from a public Internet Certificate Authority (CA) or how to create and operate a private Local CA to issue certificates.">Set up certificates for the first time</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahurzahu4afinternetvsprivcert.htm" title="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs.">Public certificates versus private certificates</a></div>
<div><a href="rzahurzahu404selectingusercatasks.htm" title="You can use Digital Certificate Manager (DCM) to obtain certificates with SSL or associate existing certificates with their iSeries user profiles.">Manage user certificates</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahurzahu4apcaanotherdcm.htm" title="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems.">Use a Local CA to issue certificates for other iSeries systems</a></div>
<div><a href="rzahurzahu461installcacert.htm" title="Review this information to learn how to obtain a copy of the private CA certificate and install it on your PC so that you can authenticate any server certificates that the CA issues.">Obtain a copy of the private CA certificate</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzahuissuepublicusercerts.htm" title="Use this information to learn how you can use your Local CA to issue private certificates to users without associating the certificate with an iSeries user profile.">Use APIs to programmatically issue certificates to non-iSeries users</a></div>
</div>
</div>
</body>
</html>