Managing certificates for verifying object signatures

 

You can use Digital Certificate Manager (DCM) to manage the signature verification certificates that you use to validate digital signatures on objects.

To sign an object, you use a certificate's private key to create the signature. When you send the signed object to others, include a copy of the certificate that signed the object. You do this by using DCM to export the object signing certificate (without the certificate's private key) as a signature verification certificate. You can export a signature verification certificate to a file that you can then distribute to others. Or, if you want to verify signatures that you create, you can export a signature verification certificate into the *SIGNATUREVERIFICATION certificate store.

To validate a signature on an object, have a copy of the certificate that signed the object. You use the signing certificate's public key, which the certificate contains, to examine and verify the signature that was created with the corresponding private key. Therefore, before you can verify the signature on an object, obtain a copy of the signing certificate from whomever provided you with the signed objects.

You must also have a copy of the Certificate Authority (CA) certificate for the CA that issued the certificate that signed the object. You use the CA certificate to verify the authenticity of the certificate that signed the object. DCM provides copies of CA certificates from most well-known CAs. If, however, the object was signed by a certificate from another public CA or a private local CA, obtain a copy of the CA certificate before you can verify the object signature.

To use DCM to verify object signatures, first create the appropriate certificate store for managing the necessary signature verification certificates; this is the *SIGNATUREVERIFICATION certificate store. When you create this certificate store, DCM automatically populates it with copies of most well-known public CA certificates.

If you want to be able to verify signatures that you created with your own object signing certificates, create the *SIGNATUREVERIFICATION certificate store and copy the certificates from the *OBJECTSIGNING certificate store into it. This is true even if you plan to perform signature verification from within the *OBJECTSIGNING certificate store.

To use DCM to manage your signature verification certificates, complete these tasks:

  1. Start DCM. Refer to Starting DCM.

  2. In the left navigation frame of DCM, select Create New Certificate Store to start the guided task and complete a series of forms.

    If you have questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the online help.

  3. Select *SIGNATUREVERIFICATION as the certificate store to create and click Continue.

    If the *OBJECTSIGNING certificate store exists, at this point DCM will prompt you to specify whether to copy the object signing certificates into the new certificate store as signature verification certificates. If you want to use your existing object signing certificates to verify signatures, select Yes and click Continue. You must know the password for the *OBJECTSIGNING certificate store to copy the certificates from it.

  4. Specify a password for the new certificate store and click Continue to create the certificate store. A confirmation page displays to indicate that the certificate store was created successfully. Now you can use the store to manage and use certificates to verify object signatures.

    If you created this store so that you can verify signatures on objects that you signed, you can stop. As you create new object signing certificates, export them from the *OBJECTSIGNING certificate store into this certificate store. If you do not export them, you will not be able to verify the signatures that you create with them. If you created this certificate store so that you can verify signatures on objects that you received from other sources, continue with this procedure so that you can import the certificates that you need into the certificate store.

  5. In the navigation frame, click Select a Certificate Store and select *SIGNATUREVERIFICATION as the certificate store to open.

  6. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.

  7. After the navigation frame refreshes, select Manage Certificates to display a list of tasks.

  8. From the task list, select Import certificate. This guided task guides you through the process of importing the certificates that you need into the certificate store so that you can verify the signature on the objects that you received.

  9. Select the type of certificate that you want to import. Select Signature verification to import the certificate that you received with the signed objects and complete the import task.

    If the certificate store does not already contain a copy of the CA certificate for the CA that issued the signature verification certificate, import the CA certificate first. You may receive an error when importing the signature verification certificate if you do not import the CA certificate before importing the signature verification certificate.

You can now use these certificates to verify object signatures.

 

Parent topic:

Managing certificates from a public Internet CA

Related concepts
Digital certificates for signing objects