Manage public Internet certificates for SSL communications sessions

You can use Digital Certificate Manager (DCM) to manage public Internet certificates for your applications to use for establishing secure communications sessions with the Secure Sockets Layer (SSL).

If you do not use DCM to operate your own Local Certificate Authority (CA), you must first create the appropriate certificate store for managing the public certificates that you use for SSL. This is the *SYSTEM certificate store. When you create a certificate store, DCM takes you through the process of creating the certificate request information that you must provide to the public CA to obtain a certificate.

To use DCM to manage and use public Internet certificates so that your applications can establish SSL communications sessions, follow these steps:

  1. Start DCM.
  2. In the navigation frame of DCM, select Create New Certificate Store to start the guided task and complete a series of forms. These forms guide you through the process of creating a certificate store and a certificate that your applications can use for SSL sessions.
    Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
  3. Select *SYSTEM as the certificate store to create and click Continue.
  4. Select Yes to create a certificate as part of creating the *SYSTEM certificate store and click Continue.
  5. Select VeriSign or other Internet Certificate Authority (CA) as the signer of the new certificate, and click Continue to display a form that allows you to provide identifying information for the new certificate.
    Note: If yoursystem has an IBM® Cryptographic Coprocessor installed, DCM allows you to select how to store the private key for the certificate as the next task. If your system does not have a coprocessor, DCM automatically places the private key in the *SYSTEM certificate store. If you need help with selecting how to store the private key, see the online help in DCM.
  6. Complete the form and click Continue to display a confirmation page. This confirmation page displays the certificate request data that you must provide to the public Certificate Authority (CA) that will issue your certificate. The Certificate Signing Request (CSR) data consists of the public key and other information that you specified for the new certificate.
  7. Carefully copy and paste the CSR data into the certificate application form, or into a separate file, that the public CA requires for requesting a certificate. You must use all the CSR data, including both the Begin and End New Certificate Request lines. When you exit this page, the data is lost and you cannot recover it. Send the application form or file to the CA that you have chosen to issue and sign your certificate.
    Note: You must wait for the CA to return the signed, completed certificate before you can finish this procedure.

    To use certificates with the HTTP Server for your system, you must create and configure your Web server before working with DCM to work with the signed completed certificate. When you configure a Web server to use SSL, an application ID is generated for the server. You must make a note of this application ID so that you can use DCM to specify which certificate this application must use for SSL.

    Do not end and restart the server until you use DCM to assign the signed completed certificate to the server. If you end and restart the *ADMIN instance of the Web server before assigning a certificate to it, the server will not start and you will not be able to use DCM to assign a certificate to the server.

  8. After the public CA returns your signed certificate, start DCM.
  9. In the navigation frame, click Select a Certificate Store and select *SYSTEM as the certificate store to open.
  10. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
  11. After the navigation frame refreshes, select Manage Certificates to display a list of tasks.
  12. From the task list, select Import certificate to begin the process of importing the signed certificate into the *SYSTEM certificate store. After you finish importing the certificate, you can specify the applications that must use it for SSL communications.
  13. In the navigation frame, select Manage Applications to display a list of tasks.
  14. From the task list, select Update certificate assignment to display a list of SSL-enabled applications for which you can assign a certificate.
  15. Select an application from the list and click Update Certificate Assignment.
  16. Select the certificate that you imported and click Assign New Certificate. DCM displays a message to confirm your certificate selection for the application.
    Note: Some SSL-enabled applications support client authentication based on certificates. If you want an application with this support to be able to authenticate certificates before providing access to resources, you must define a CA trust list for the application. This ensures that the application can validate only those certificates from CAs that you specify as trusted. If a user or a client application presents a certificate from a CA that is not specified as trusted in the CA trust list, the application will not accept it as a basis for valid authentication.

When you finish the guided task, you have everything that you need to begin configuring your applications to use SSL for secure communications. Before users can access these applications through an SSL session, they must have a copy of the CA certificate for the CA that issued the server certificate. If your certificate is from a well-known Internet CA, your users' client software may already have a copy of the necessary CA certificate. If users need to obtain the CA certificate, they must access the Web site for the CA and follow the directions the site provides.

Parent topic: Manage certificates from a public Internet CA