Creating and operating a local CA

This information explains how to create and operate a local Certificate Authority (CA) to issue private certificates for your applications.

After careful review of your security needs and policies, you have decided to operate a local Certificate Authority (CA) to issue private certificates for your applications. You can use Digital Certificate Manager (DCM) to create and operate your own local CA. DCM provides you with a guided task path that takes you through the process of creating a CA and using it to issue certificates to your applications. The guided task path ensures that you have everything you need to begin using digital certificates to configure applications to use SSL and to sign objects and verify object signatures.

To use certificates with the IBM^® HTTP Server for i5/OS^® , create and configure your Web server before working with DCM. When you configure a Web server to use SSL, an application ID is generated for the server. You must make a note of this application ID so that you can use DCM to specify which certificate this application will use for SSL.

Do not end and restart the server until you use DCM to assign a certificate to the server. If you end and restart the *ADMIN instance of the Web server before assigning a certificate to it, the server will not start and you will not be able to use DCM to assign a certificate to the server.

To use DCM to create and operate a local CA, follow these steps:

Start DCM. Refer to Starting DCM.
In the navigation frame of DCM, select Create a Certificate Authority (CA) to display a series of forms. These forms guide you through the process of creating a local CA and completing other tasks needed to begin using digital certificates for SSL, object signing, and signature verification.

If you have questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the online help.
Complete all the forms for this guided task. In using these forms to perform all the tasks that you need to set up a working local Certificate Authority (CA), you:
1. Choose how to store the private key for the local CA certificate. (This step is provided only if you have an IBM Cryptographic Coprocessor installed on your system. If your system does not have a cryptographic coprocessor, DCM automatically stores the certificate and its private key in the local Certificate Authority (CA) certificate store.)
2. Provide identifying information for the local CA.
3. Install the local CA certificate on your PC or in your browser so that your software can recognize the local CA and validate certificates that the CA issues.
4. Choose the policy data for your local CA.
5. Use the new local CA to issue a server or client certificate that your applications can use for SSL connections. (If your system has an IBM Cryptographic Coprocessor installed, this step allows you to select how to store the private key for the server or client certificate. If your system does not have a coprocessor, DCM automatically places the certificate and its private key in the *SYSTEM certificate store. DCM creates the *SYSTEM certificate store as part of this subtask.)
6. Select the applications that can use the server or client certificate for SSL connections.
  
  If you used DCM previously to create the *SYSTEM certificate store to manage certificates for SSL from a public Internet CA, you do not perform this or the previous step.
7. Use the new local CA to issue an object signing certificate that applications can use to digitally sign objects. This subtask creates the *OBJECTSIGNING certificate store; this is the certificate store that you use to manage object signing certificates.
8. Select the applications that can use the object signing certificate to place digital signatures on objects.
  
  If you used DCM previously to create the *OBJECTSIGNING certificate store to manage object signing certificates from a public Internet CA, you do not perform this or the previous step.
9. Select the applications that will trust your local CA.

When you finish the guided task, you have everything that you need to begin configuring your applications to use SSL for secure communications.

After you configure your applications, users that access the applications through an SSL connection must use DCM to obtain a copy of the local CA certificate. Each user must have a copy of the certificate so that the user's client software can use it to authenticate the identity of the server as part of the SSL negotiation process. Users can use DCM either to copy the local CA certificate to a file or to download the certificate into their browser. How the users store the local CA certificate depends on the client software that they use to establish an SSL connection to an application .

Also, you can use this local CA to issue certificates to applications on other System i™ models in your network.

To learn more about using DCM to manage user certificates and how users can obtain a copy of the local CA certificate to authenticate certificates the local CA issues, review these topics:

Managing user certificates
You can use Digital Certificate Manager (DCM) to obtain certificates with SSL or associate existing certificates with their iSeries™ user profiles.
Using APIs to programmatically issue certificates to users other than System i users
Use this information to learn how you can use your local CA to issue private certificates to users without associating the certificate with a System i user profile.
Obtaining a copy of the private CA certificate
Review this information to learn how to obtain a copy of the private CA certificate and install it on your PC so that you can authenticate any server certificates that the CA issues.

Parent topic:

Setting up certificates for the first time