You can use Digital Certificate Manager (DCM) to manage the signature
verification certificates that you use to validate digital signatures on objects.
To sign an object, you use a certificate's private key to create
the signature. When you send the signed object to others, you must include
a copy of the certificate that signed the object. You do this by using DCM
to export the object signing certificate (without the certificate's private
key) as a signature verification certificate. You can export a signature verification
certificate to a file that you can then distribute to others. Or, if you want
to verify signatures that you create, you can export a signature verification
certificate into the *SIGNATUREVERIFICATION certificate store.
To validate
a signature on an object, you must have a copy of the certificate that signed
the object. You use the signing certificate's public key, which the certificate
contains, to examine and verify the signature that was created with the corresponding
private key. Therefore, before you can verify the signature on an object,
you must obtain a copy of the signing certificate from whomever provided you
with the signed objects.
You must also have a copy of the Certificate
Authority (CA) certificate for the CA that issued the certificate that signed
the object. You use the CA certificate to verify the authenticity of the certificate
that signed the object. DCM provides copies of CA certificates from most well-known
CAs. If, however, the object was signed by a certificate from another public
CA or a private Local CA, you must obtain a copy of the CA certificate before
you can verify the object signature.
To use DCM to verify object signatures,
you must first create the appropriate certificate store for managing the necessary
signature verification certificates; this is the *SIGNATUREVERIFICATION certificate
store. When you create this certificate store, DCM automatically populates
it with copies of most well-known public CA certificates.
Note: If you want
to be able to verify signatures that you created with your own object signing
certificates, you must create the *SIGNATUREVERIFICATION certificate store
and copy the certificates from the *OBJECTSIGNING certificate store into it.
This is true even if you plan to perform signature verification from within
the *OBJECTSIGNING certificate store.
To use DCM to manage your
signature verification certificates, complete these tasks:
- Start
DCM.
- In the left navigation frame of DCM, select Create New
Certificate Store to start the guided task and complete a series
of forms.
Note: If you have questions about how to complete a specific
form in this guided task, select the question mark (?)
button at the top of the page to access the online help.
- Select *SIGNATUREVERIFICATION as the certificate
store to create and click Continue.
Note: If
the *OBJECTSIGNING certificate store exists, at this point DCM will prompt
you to specify whether to copy the object signing certificates into the new
certificate store as signature verification certificates. If you want to use
your existing object signing certificates to verify signatures, select Yes and
click Continue. You must know the password for the
*OBJECTSIGNING certificate store to copy the certificates from it.
- Specify a password for the new certificate store and click Continue to
create the certificate store. A confirmation page displays to indicate that
the certificate store was created successfully. Now you can use the store
to manage and use certificates to verify object signatures.
Note: If
you created this store so that you can verify signatures on objects that you
signed, you can stop. As you create new object signing certificates, you must
export them from the *OBJECTSIGNING certificate store into this certificate
store. If you do not export them, you will not be able to verify the signatures
that you create with them. If you created this certificate store so that you
can verify signatures on objects that you received from other sources, you
must continue with this procedure so that you can import the certificates
that you need into the certificate store.
- In the navigation frame, click Select a Certificate
Store and select *SIGNATUREVERIFICATION as
the certificate store to open.
- When the Certificate Store and Password page displays, provide
the password that you specified for the certificate store when you created
it and click Continue.
- After the navigation frame refreshes, select Manage
Certificates to display a list of tasks.
- From the task list, select Import certificate.
This guided task guides you through the process of importing the certificates
that you need into the certificate store so that you can verify the signature
on the objects that you received.
- Select the type of certificate that you want to import. Select Signature
verification to import the certificate that you received with
the signed objects and complete the import task.
Note: If the certificate
store does not already contain a copy of the CA certificate for the CA that
issued the signature verification certificate, you must import the CA certificate first.
You may receive an error when importing the signature verification certificate
if you do not import the CA certificate before importing the signature verification
certificate.