Digital Certificate Management APIs

The digital certificate management APIs enable X.509 type certificates to be associated with a user profile.The APIs add, remove, list, and find certificates that are associated with user profiles.

This section also includes APIs for registering applications that use certificates. Applications that need to use certificates will make themselves known by registering themselves. As part of that registration, applications will identify an exit program that is to be called:

• whenever a certificate is assigned to the application or if the certificate assignment changes.
• whenever a Certificate Authority (CA) is added to or removed from the trust list for the application.
• whenever the information about the application is being changed.
• whenever the application is being deregistered.

The application is, therefore, not responsible for providing a user interface for certificate management. When the application starts, it can retrieve the name and location of the certificate assigned to the application and use it for initiating a Secure Sockets Layer (SSL) session or some other operation that requires a certificate.

The digital certificate management APIs are:

• Add User Certificate (QSYADDUC, QsyAddUserCertificate) associates a certificate with an i5/OS user profile.
• Add Validation List Certificate (QSYADDVC,QsyAddVldlCertificate) adds a certificate to a validation list.
• Check Validation List Certificate (QSYCHKVC, QsyCheckVldlCertificate) determines whether a certificate is in a validation list.
• Deregister Application for Certificate Use (QSYDRGAP, QsyDeregisterAppForCertUse) removes an application and all associated certificate information from the registration facility.
• Export Certificate Store (QYKMEXPK, QykmExportKeyStore)) exports a certificate store to a PKCS 12 version 3 standard file.
• Find Certificate User (QSYFNDCU, QsyFindCertificateUser) finds the user that is associated with a certificate.
• Generate and Sign User Certificate Request (QYCUGSUC) generates a user certificate request and then signs the certificate request using the local Certificate Authority (CA).
• Get Default Key Item (QYKMGDKI, QykmGetDefaultKeyItem) Allows you to retrieve the label of the default certificate in a certificate store. 
• Import Certificate Store (QYKMIMPK, QykmImportKeyStore)) imports a certificate store from a PKCS 12 version 3 standard file.
• List User Certificates (QSYLSTUC, QsyListUserCertificates) lists the certificates in the user profile.
• List Validation List Certificates (QSYLSTVC, QsyListVldlCertificates) lists the certificates in the validation list.
• Open List of User Certificates (QSYOLUC) provides a list of user certificates associated with a user.
• Parse Certificate (QSYPARSC, QsyParseCertificate) parses a certificate and puts the results in the caller's storage.
• Register Application for Certificate Use (QSYRGAP, QsyRegisterAppForCertUse) registers an application with the registration facility.
• Remove User Certificate (QSYRMVUC, QsyRemoveUserCertificate) removes a certificate from an i5/OS user profile.
• Remove Validation List Certificate (QSYRMVVC, QsyRemoveVldlCertificate) removes a certificate from a validation list.
• Retrieve Digital ID Configuration Information (QsyRetrieveDigitalIDConfig()) retrieves digital ID configuration information.
• Set Digital ID Configuration Information (QsySetDigitalIDConfig()) sets digital ID configuration information.
• Sign User Certificate Request (QYCUSUC) signs a user certificate request using the local Certificate Authority (CA).

Note: All of these APIs, except Register and Deregister Application for Certificate Use, require that Digital Certificate Manager (DCM), option 34 of i5/OS^(TM) (5722-SS1) be installed.