ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahu4afinternetvsprivcert.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Public certificates versus private certificates" />
<meta name="abstract" content="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs." />
<meta name="description" content="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4aagetstarteddcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuandeim.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuissuepublicusercerts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurequestuser.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4anactingownca.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu66cdcminternetcertsr4.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4apcaanotherdcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4afinternetvsprivcert.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahudcmfirsttime.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4afinternetvsprivcert.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahusignsigningobjects.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu4af-internet_vs_priv_cert" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Public certificates versus private certificates </title>
</head>
<body id="rzahu4af-internet_vs_priv_cert"><a name="rzahu4af-internet_vs_priv_cert"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Public certificates versus private certificates </h1>
<div><p>Review this information to learn how to determine which type of
certificate (public or private) best suits your business needs. </p>
<div class="p">You can use certificates from a public CA or you can create and operate
a private CA to issue certificates. How you choose to obtain your certificates
depends on how you plan to use them. Once you decide on the type of CA to
issue the certificates, you need to choose the type of certificate
implementation that best suits your security needs. The choices that you have
for obtaining your certificates include: <ul><li>Purchasing your certificates from a public Internet Certificate Authority
(CA).</li>
<li>Operating your own Local CA to issue private certificates for your users
and applications.</li>
<li>Using a combination of certificates from public Internet CAs and your
own Local CA.</li>
</ul>
</div>
<p>Which of these implementation choices you make depends on a number of factors,
one of the most important being the environment in which the certificates
are used. Here's some information to help you better determine which implementation
choice is right for your business and security needs.</p>
<p><span class="uicontrol">Using public certificates</span></p>
<p>Public Internet CAs issue certificates to anyone who pays the necessary
fee. However, an Internet CA still requires some proof of identity before
it issues a certificate. This level of proof varies, though, depending on
the identification policy of the CA. You need to evaluate whether the stringency
of the identification policy of the CA suits your security needs before deciding
to obtain certificates from the CA or to trust the certificates that it issues.
As Public Key Infrastructure for X.509 (PKIX) standards have evolved, some
public CAs now provide much more stringent identification standards for issuing
certificates. While the process for obtaining certificates from such PKIX
CAs is more involved, the certificates the CA issues provide better assurance
for securing access to applications by specific users. Digital Certificate
Manager (DCM) allows you to use and manage certificates from PKIX CAs that
use these new certificate standards.</p>
<p>You must also consider the cost associated with using a public CA to issue
certificates. If you need certificates for a limited number of server or client
applications and users, cost may not be an important factor for you. However,
cost can be particularly important if you have a large number of <em>private</em> users
that need public certificates for client authentication. In this case, you
need to also consider the administrative and programming effort needed to
configure server applications to accept only a specific subset of certificates
that a public CA issues.</p>
<p>Using certificates from a public CA may save you time and resources because
many server, client, and user applications are configured to recognize most
of the well-known public CAs. Also, other companies and users may recognize
and trust certificates that a well-known public CA issues more than those
that your private Local CA issues.</p>
<p></p>
<p><span class="uicontrol">Using private certificates</span></p>
<p>If you create your own Local CA, you can issue certificates to systems
and users within a more limited scope, such as within your company or organization.
Creating and maintaining your own Local CA allows you to issue certificates
only to those users who are trusted members of your group. This provides better
security because you can control who has certificates, and therefore who has
access to your resources, more stringently. A potential disadvantage of maintaining
your own Local CA is the amount of time and resources that you must invest.
However, Digital Certificate Manager (DCM) makes this process easier for you.</p>
<p>When you use a Local CA to issue certificates to users for client authentication,
you need to decide where you want to store the user certificates. When users
obtain their certificates from the Local CA through DCM their certificates
are stored with a user profile by default. However, you can configure DCM
to work with Enterprise Identity Mapping (EIM) so that their certificates
are stored in a Lightweight Directory Access Protocol (LDAP) location instead.
If you prefer not to have user certificates associated or stored with a user
profile in any manner, you can use APIs to programmatically issue certificates
to non-iSeries users.</p>
<div class="note"><span class="notetitle">Note:</span> No matter which CA you use to issue your certificates, the system administrator
controls which CAs will be trusted by applications on his system. If a copy
of a certificate for a well-known CA can be found in your browser, your browser
can be set to trust server certificates that were issued by that CA. Administrators
set trust for CA certificates in the appropriate DCM certificate store, which
contains copies of most well-known public CA certificates. However, if a CA
certificate is not in your certificate store, your server cannot trust user
or client certificates that were issued by that CA until you obtain and import
a copy of the CA certificate. The CA certificate must be in the correct file
format and you must add that certificate to your DCM certificate store.</div>
<p>You may find it helpful to review some common certificate usage scenarios
to help you choose whether using public or private certificates best suits
your business and security needs.</p>
<p><span class="uicontrol">Related tasks</span></p>
<div class="p">After you decide how you want to use certificates and which type to use,
review these procedures to learn more about how to use Digital Certificate
Manager to put your plan into action: <ul><li>Creating and operating a private CA describes the tasks that you must
perform if you choose to operate a Local CA to issue private certificates.</li>
<li>Managing certificates from a public Internet CA describes the tasks that
you must perform to use certificates from a well-known public CA, including
a PKIX CA.</li>
<li>Using a Local CA on other <span class="keyword">iSeries™</span> 
servers describes the tasks that you must perform if you want to use certificates
from a private Local CA on more than one system.</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4aagetstarteddcm.htm" title="Use this information to help you decide how and when you might use digital certificates to meet your security goals. Use this information to learn about any prerequisites you need to install, as well as other requirements that you must consider before using DCM.">Plan for DCM</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahurzahu66cdcminternetcertsr4.htm" title="Review this information to learn how to manage certificates from a public Internet CA by creating a certificate store.">Manage certificates from a public Internet CA</a></div>
<div><a href="rzahurzahu4afinternetvsprivcert.htm" title="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs.">Public certificates versus private certificates</a></div>
<div><a href="rzahudcmfirsttime.htm" title="Use this information to learn how to get started managing certificates from a public Internet Certificate Authority (CA) or how to create and operate a private Local CA to issue certificates.">Set up certificates for the first time</a></div>
<div><a href="rzahurzahusignsigningobjects.htm" title="Use this information to learn how to use certificates to ensure an object's integrity or to verify the digital signature on an object to verify its authenticity.">Digital certificates for signing objects</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahuandeim.htm" title="Using Enterprise Identity Mapping (EIM) and Digital Certificate Mangers (DCM) together allows you to apply a certificate as the source of an EIM mapping lookup operation to map from the certificate to a target user identity associated with the same EIM identifier.">Digital certificates and Enterprise Identity Mapping (EIM)</a></div>
<div><a href="rzahurequestuser.htm" title="Review this information to learn how your users can use the Local CA to issue a certificate for client authentication.">Create a user certificate</a></div>
<div><a href="rzahurzahu4anactingownca.htm" title="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications.">Create and operate a Local CA</a></div>
<div><a href="rzahurzahu4apcaanotherdcm.htm" title="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems.">Use a Local CA to issue certificates for other iSeries systems</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzahuissuepublicusercerts.htm" title="Use this information to learn how you can use your Local CA to issue private certificates to users without associating the certificate with an iSeries user profile.">Use APIs to programmatically issue certificates to non-iSeries users</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Public certificates versus private certificates" />`
			`<meta name="abstract" content="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs." />`
			`<meta name="description" content="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs." />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahu4aagetstarteddcm.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahuandeim.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahuissuepublicusercerts.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurequestuser.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahu4anactingownca.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahu66cdcminternetcertsr4.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahu4apcaanotherdcm.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahu4afinternetvsprivcert.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahudcmfirsttime.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahu4afinternetvsprivcert.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahusignsigningobjects.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzahu4af-internet_vs_priv_cert" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Public certificates versus private certificates </title>`
			`</head>`
			`<body id="rzahu4af-internet_vs_priv_cert"><a name="rzahu4af-internet_vs_priv_cert"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Public certificates versus private certificates </h1>`
			`<div><p>Review this information to learn how to determine which type of`
			`certificate (public or private) best suits your business needs. </p>`
			`<div class="p">You can use certificates from a public CA or you can create and operate`
			`a private CA to issue certificates. How you choose to obtain your certificates`
			`depends on how you plan to use them. Once you decide on the type of CA to`
			`issue the certificates, you need to choose the type of certificate`
			`implementation that best suits your security needs. The choices that you have`
			`for obtaining your certificates include: <ul><li>Purchasing your certificates from a public Internet Certificate Authority`
			`(CA).</li>`
			`<li>Operating your own Local CA to issue private certificates for your users`
			`and applications.</li>`
			`<li>Using a combination of certificates from public Internet CAs and your`
			`own Local CA.</li>`
			`</ul>`
			`</div>`
			`<p>Which of these implementation choices you make depends on a number of factors,`
			`one of the most important being the environment in which the certificates`
			`are used. Here's some information to help you better determine which implementation`
			`choice is right for your business and security needs.</p>`
			`<p><span class="uicontrol">Using public certificates</span></p>`
			`<p>Public Internet CAs issue certificates to anyone who pays the necessary`
			`fee. However, an Internet CA still requires some proof of identity before`
			`it issues a certificate. This level of proof varies, though, depending on`
			`the identification policy of the CA. You need to evaluate whether the stringency`
			`of the identification policy of the CA suits your security needs before deciding`
			`to obtain certificates from the CA or to trust the certificates that it issues.`
			`As Public Key Infrastructure for X.509 (PKIX) standards have evolved, some`
			`public CAs now provide much more stringent identification standards for issuing`
			`certificates. While the process for obtaining certificates from such PKIX`
			`CAs is more involved, the certificates the CA issues provide better assurance`
			`for securing access to applications by specific users. Digital Certificate`
			`Manager (DCM) allows you to use and manage certificates from PKIX CAs that`
			`use these new certificate standards.</p>`
			`<p>You must also consider the cost associated with using a public CA to issue`
			`certificates. If you need certificates for a limited number of server or client`
			`applications and users, cost may not be an important factor for you. However,`
			`cost can be particularly important if you have a large number of <em>private</em> users`
			`that need public certificates for client authentication. In this case, you`
			`need to also consider the administrative and programming effort needed to`
			`configure server applications to accept only a specific subset of certificates`
			`that a public CA issues.</p>`
			`<p>Using certificates from a public CA may save you time and resources because`
			`many server, client, and user applications are configured to recognize most`
			`of the well-known public CAs. Also, other companies and users may recognize`
			`and trust certificates that a well-known public CA issues more than those`
			`that your private Local CA issues.</p>`
			`<p></p>`
			`<p><span class="uicontrol">Using private certificates</span></p>`
			`<p>If you create your own Local CA, you can issue certificates to systems`
			`and users within a more limited scope, such as within your company or organization.`
			`Creating and maintaining your own Local CA allows you to issue certificates`
			`only to those users who are trusted members of your group. This provides better`
			`security because you can control who has certificates, and therefore who has`
			`access to your resources, more stringently. A potential disadvantage of maintaining`
			`your own Local CA is the amount of time and resources that you must invest.`
			`However, Digital Certificate Manager (DCM) makes this process easier for you.</p>`
			`<p>When you use a Local CA to issue certificates to users for client authentication,`
			`you need to decide where you want to store the user certificates. When users`
			`obtain their certificates from the Local CA through DCM their certificates`
			`are stored with a user profile by default. However, you can configure DCM`
			`to work with Enterprise Identity Mapping (EIM) so that their certificates`
			`are stored in a Lightweight Directory Access Protocol (LDAP) location instead.`
			`If you prefer not to have user certificates associated or stored with a user`
			`profile in any manner, you can use APIs to programmatically issue certificates`
			`to non-iSeries users.</p>`
			`<div class="note"><span class="notetitle">Note:</span> No matter which CA you use to issue your certificates, the system administrator`
			`controls which CAs will be trusted by applications on his system. If a copy`
			`of a certificate for a well-known CA can be found in your browser, your browser`
			`can be set to trust server certificates that were issued by that CA. Administrators`
			`set trust for CA certificates in the appropriate DCM certificate store, which`
			`contains copies of most well-known public CA certificates. However, if a CA`
			`certificate is not in your certificate store, your server cannot trust user`
			`or client certificates that were issued by that CA until you obtain and import`
			`a copy of the CA certificate. The CA certificate must be in the correct file`
			`format and you must add that certificate to your DCM certificate store.</div>`
			`<p>You may find it helpful to review some common certificate usage scenarios`
			`to help you choose whether using public or private certificates best suits`
			`your business and security needs.</p>`
			`<p><span class="uicontrol">Related tasks</span></p>`
			`<div class="p">After you decide how you want to use certificates and which type to use,`
			`review these procedures to learn more about how to use Digital Certificate`
			`Manager to put your plan into action: <ul><li>Creating and operating a private CA describes the tasks that you must`
			`perform if you choose to operate a Local CA to issue private certificates.</li>`
			`<li>Managing certificates from a public Internet CA describes the tasks that`
			`you must perform to use certificates from a well-known public CA, including`
			`a PKIX CA.</li>`
			`<li>Using a Local CA on other <span class="keyword">iSeries™</span>`
			`servers describes the tasks that you must perform if you want to use certificates`
			`from a private Local CA on more than one system.</li>`
			`</ul>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4aagetstarteddcm.htm" title="Use this information to help you decide how and when you might use digital certificates to meet your security goals. Use this information to learn about any prerequisites you need to install, as well as other requirements that you must consider before using DCM.">Plan for DCM</a></div>`
			`</div>`
			`<div class="relconcepts"><strong>Related concepts</strong><br />`
			`<div><a href="rzahurzahu66cdcminternetcertsr4.htm" title="Review this information to learn how to manage certificates from a public Internet CA by creating a certificate store.">Manage certificates from a public Internet CA</a></div>`
			`<div><a href="rzahurzahu4afinternetvsprivcert.htm" title="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs.">Public certificates versus private certificates</a></div>`
			`<div><a href="rzahudcmfirsttime.htm" title="Use this information to learn how to get started managing certificates from a public Internet Certificate Authority (CA) or how to create and operate a private Local CA to issue certificates.">Set up certificates for the first time</a></div>`
			`<div><a href="rzahurzahusignsigningobjects.htm" title="Use this information to learn how to use certificates to ensure an object's integrity or to verify the digital signature on an object to verify its authenticity.">Digital certificates for signing objects</a></div>`
			`</div>`
			`<div class="reltasks"><strong>Related tasks</strong><br />`
			`<div><a href="rzahuandeim.htm" title="Using Enterprise Identity Mapping (EIM) and Digital Certificate Mangers (DCM) together allows you to apply a certificate as the source of an EIM mapping lookup operation to map from the certificate to a target user identity associated with the same EIM identifier.">Digital certificates and Enterprise Identity Mapping (EIM)</a></div>`
			`<div><a href="rzahurequestuser.htm" title="Review this information to learn how your users can use the Local CA to issue a certificate for client authentication.">Create a user certificate</a></div>`
			`<div><a href="rzahurzahu4anactingownca.htm" title="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications.">Create and operate a Local CA</a></div>`
			`<div><a href="rzahurzahu4apcaanotherdcm.htm" title="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems.">Use a Local CA to issue certificates for other iSeries systems</a></div>`
			`</div>`
			`<div class="relref"><strong>Related reference</strong><br />`
			`<div><a href="rzahuissuepublicusercerts.htm" title="Use this information to learn how you can use your Local CA to issue private certificates to users without associating the certificate with an iSeries user profile.">Use APIs to programmatically issue certificates to non-iSeries users</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`