ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahucrp1createcertonhw.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Store certificate keys on an IBM Cryptographic Coprocessor" />
<meta name="abstract" content="Review this information to learn how to use an installed coprocessor to provide more secure storage for your certificates' private keys." />
<meta name="description" content="Review this information to learn how to use an installed coprocessor to provide more secure storage for your certificates' private keys." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahumanagedcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuhwkeystorageoncard.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuhwassiststorage.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahucryptocardconcept.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahucrp1_create_cert_on_hw" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Store certificate keys on an IBM Cryptographic Coprocessor</title>
</head>
<body id="rzahucrp1_create_cert_on_hw"><a name="rzahucrp1_create_cert_on_hw"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Store certificate keys on an IBM Cryptographic Coprocessor</h1>
<div><p>Review this information to learn how to use an installed coprocessor
to provide more secure storage for your certificates' private keys.</p>
<p>If you have installed an <a href="../rzajc/rzajcoverview.htm">IBM<sup>®</sup> Cryptographic
Coprocessor</a> on your system, you can use the coprocessor to provide
more secure storage for a certificate's private key. You can use the coprocessor
to store the private key for a server certificate, a client certificate, or
a local Certificate Authority (CA) certificate. However, you cannot use the
coprocessor for storing a user certificate private key because this key must
be stored on the user's system. Also, you cannot use the coprocessor to store
the private key for an object signing certificate at this time.</p>
<div class="p">You can use the coprocessor for certificate private key storage in one
of two ways:  <ul><li>Storing the certificate private key directly on the coprocessor itself.</li>
<li>Using the coprocessor master key to encrypt the certificate private key
for storage in a special key file.</li>
</ul>
</div>
<p>You can select this key storage option as part of the process of creating
or renewing a certificate. Also, if you use the coprocessor to store a certificate's
private key, you can change the coprocessor device assignment for that key. </p>
<p>To use the coprocessor for private key storage, you must ensure that the
coprocessor is varied on before using Digital Certificate Manager (DCM). Otherwise,
DCM will not provide a page for selecting a storage option as part of the
certificate creation or renewal process. </p>
<p>If you are creating or renewing a server or client certificate, you select
the private key storage option after you select the type of CA that is signing
the current certificate. If you are creating or renewing a local CA, you select
the private key storage option as the first step in the process.</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzahuhwkeystorageoncard.htm">Store the certificate private key directly on the coprocessor</a></strong><br />
For extra security to protect access to and use of a certificate's
private key, you can choose to store the key directly on an IBM Cryptographic
Coprocessor. You can select this key storage option as part of creating or
renewing a certificate in Digital Certificate Manager (DCM).</li>
<li class="ulchildlink"><strong><a href="rzahuhwassiststorage.htm">Use the coprocessor master key to encrypt the certificate private key</a></strong><br />
For extra security to protect access to and use of a certificate's
private key, you can use the master key of an IBM Cryptographic Coprocessor to encrypt
the private key and store the key in a special key file. You can select this
key storage option as part of creating or renewing a certificate in Digital
Certificate Manager (DCM).</li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahumanagedcm.htm" title="Use this information to learn how to use DCM to manage your certificates and the applications that use them. Also, you can learn about how to digitally sign objects and how to create and operate your own Certificate Authority.">Manage DCM</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahucryptocardconcept.htm" title="The cryptographic coprocessor provides proven cryptographic services, ensuring privacy and integrity, for developing secure e-business applications.">IBM Cryptographic Coprocessors for iSeries</a></div>
</div>
</div>
</body>
</html>