Certificates

This topic provides information on Secure Sockets Layer certificates.

Use the IBM HTTP Server IKEYMAN utility to create a CMS key database file and server certificate.

For IBM HTTP Server, use the native z/OSĀ® key management (gskkyman key database) to create a CMS key database file and server certificate.

Production web servers must use signed certificates purchased from a Certificate Authority that supports IBM HTTP Server such as VeriSign or Thawte. The default certificate request file name is certreq.arm. The certificate request file is a PKCS 10 file, in Base64-encoded format.

We can use the IKEYMAN Key Management utility or IKEYMAN Key Management utility command line interface that is provided with IBM HTTP Server to create server certificates.

We can use the native z/OS key management (gskkyman key database) to create server certificates.

Self-signed certificates are useful for test purposes but should not be used in a production Web server.

For your convenience, IBM HTTP Server includes several default signer certificates. Be aware that these default signer certificates have expiration dates. It is important to verify the expiration dates of all your certificates and manage them appropriately. When you purchase a signed certificate from a CA, they will provide you access to their most recent signer certificates.

  • List of trusted certificate authorities on the IBM HTTP Server
    Associate your public key with a digitally signed certificate from a certificate authority (CA) that is designated as a trusted root CA on your server. We can buy a signed certificate by submitting a certificate request to a certificate authority provider. The default certificate request file name is certreq.arm. The certificate request file is a PKCS 10 file, in Base64-encoded format.

  • Certificate expiration dates
    We can display expiration dates of certificates in your key database by viewing the certificate information with the IKEYMAN Key Management utility GUI or using the gskcmd command.

  • SSL Certificate revocation list and Online Certificate Status Protocol
    Learn about configuring certificate revocation checking for client certificates. Certificate revocation list (CRL) is a deprecated feature. We can use Online Certificate Status Protocol (OCSP) with TLS certificates.

  • Obtaining certificates
    This section provides information to help you get started with secure connections on the Web server. Obtaining certificates is the first step in securing your Web server.