Using the coprocessor master key to encrypt the certificate private key
For extra security to protect access to and use of a certificate's private key, you can use the master key of an IBM® Cryptographic Coprocessor to encrypt the private key and store the key in a special key file. You can select this key storage option as part of creating or renewing a certificate in Digital Certificate Manager (DCM).
Before you can use this option successfully, use the IBM Cryptographic Coprocessor configuration Web interface to create an appropriate keystore file. Also, use the coprocessor configuration Web interface to associate the keystore file with the coprocessor device description that you want to use. You can access the coprocessor configuration Web interface from the System i™ Tasks page.
If your system has more than one coprocessor device installed and varied on, you can choose to share the certificate's private key among multiple devices. In order for device descriptions to share the private key, all of the devices must have the same master key. The process for distributing the same master key to multiple devices is called cloning. Sharing the key among devices allows you to use Secure Sockets Layer (SSL) load balancing, which can improve performance for secure sessions.
Follow these steps from the Select a Key Storage Location page to use the coprocessor master key to encrypt the certificate's private key and store it in a special keystore file:
- Select Hardware encrypted as your storage option.
- Click Continue. This displays the Select a Cryptographic Device Description page.
- From the list of devices, select the one that you want to use for encrypting the certificate's private key.
- Click Continue. If you have more than one coprocessor device installed and varied on, the Select Additional Cryptographic Device Descriptions page displays.
If you do not have multiple coprocessor devices available, DCM continues to display pages for the task that you are completing, such as identifying information for the certificate that you are creating or renewing.
- From the list of devices, select the name of one or more device descriptions with which you want to share the certificate's private key.
The device descriptions that you select must have the same master key as the device you selected on the previous page. To verify that the master key is the same on the devices, use the Master Key Verification task in the 4758 Cryptographic Coprocessor Configuration Web interface. You can access the coprocessor configuration Web interface from the System i Tasks page.
- Click Continue. DCM continues to display pages for the task that you are completing, such as identifying information for the certificate that you are creating or renewing.
Parent topic:
Storing certificate keys on an IBM Cryptographic CoprocessorRelated information
Cryptography overview