Receiving certificate authority-signed personal certificates
Once the certificate signing request (CSR) is accepted, a certificate authority (CA) processes the request and verifies your identity. Once approved, the CA sends the signed certificate back through e-mail. Store the signed certificate in a keystore database file. This procedure describes how to receive the CA-signed certificate into a keystore file using the key management utility (iKeyman). You use this utility the same way for both test certificates and production certificates. The primary difference between the two certificate types is the amount of time it takes for the CA to authenticate the principal your certificate represents. Test certificates are authenticated automatically based on some simple edit checks and returned to you within a few hours. Production certificates may take several days or a week to authenticate and return to you. If the CSR request is made for the cryptographic token, the certificate must be received into that token. If the request is made for the secondary key database of the token, the certificate must be received into that database.
Before you beginReceive the signed certificate from the CA through e-mail. Follow the instructions from the CA to store the certificate into a file.
Read the http://www.ibm.com/developerworks/java/jdk/security/iKeymanDocs.zip file for further information about how to receive a personal certificate into a key database file from the CA.
- Start IKeyman, if it is not already running.
- Open the key database file from which you generated the request.
- Type the password and click OK.
- Select Personal Certificates from the pull-down list.
- Click Receive.
- Click Data type and select the data type of the new digital certificate, such as Base64-encoded ASCII data. Select the data type that matches the CA-signed certificate. If the CA sends the certificate as part of an E-mail message, you may first need to cut and paste the certificate into a separate file.
- Type the certificate file name and location for the new digital certificate, or click Browse to locate the CA-signed certificate.
- Click OK.
- Type a label for the new digital certificate and click OK.
ResultThe personal certificate list now displays the label you just gave for the new CA-signed certificate.
What to do nextOnce the CA-signed certificate is successfully received, one can extract or export the public key of the certificate to a file for distribution to the network.
Manage digital certificates
Extracting public certificates for truststore files