Use this information to learn how you can use your Local CA to issue private certificates to users without associating the certificate with an iSeries™ user profile.
In i5/OS™ V5R3 or later, there are two new APIs available that you can use to programmatically issue certificates to non-iSeries users. In previous releases, when you used your Local Certificate Authority (CA) to issue certificates to users, these certificates were automatically associated with their iSeries user profiles. Consequently, to use the Local CA to issue a certificate to a user for client authentication, you had to provide that user with an iSeries user profile. Also, when users needed to obtain a certificate from a Local CA for client authentication, each user had to use Digital Certificate Manager (DCM) to create the needed certificate. Therefore, each user must have a user profile on the iSeries server that hosts DCM and a valid signon to that iSeries server.
Having the certificate associated with a user profile has its advantages, especially when internal users are concerned. However, these restrictions and requirements made it less practical to use the Local CA to issue user certificates for a large number of users, especially when you do not want those users to have an iSeries user profile. To avoid providing user profiles to these users, you might require users to pay for a certificate from a well-known CA if you wanted to require certificates for user authentication for your applications.
These two new APIs provide support that allows you to provide an interface for creating user certificates signed by the Local CA certificate for any user name. This certificate will not be associated with a user profile. The user does not need to exist on the iSeries server that hosts DCM and the user does not need to use DCM to create the certificate.
There are two APIs, one for each of the predominate browser programs, that you can call when using Net.Data® to create a program for issuing certificates to users. The application that you create must provide the Graphical User Interface (GUI) code needed to create the user certificate and to call one of the appropriate API to use the Local CA to sign the certificate.