Using a local CA to issue certificates for other System i models

 

Review this information to learn how to use a private local CA on one system to issue certificates for use on other System i™ models.

You may already be using a private local Certificate Authority (CA) on a system in your network. Now, you want to extend the use of this local CA to another system in your network. For example, you want your current local CA to issue a server or client certificate for an application on another system to use for SSL communications sessions. Or, you want to use certificates from your local CA on one system to sign objects that you store on another server.

You can accomplish this goal by using Digital Certificate Manager (DCM). You perform some of tasks on the system on which you operate the local CA and perform others on the secondary system that hosts the applications for which you want to issue certificates. This secondary system is called the target system. The tasks that perform on the target system depend on that system's release level.

You can encounter a problem if the system on which you operate the local CA uses a cryptographic access provider product that provides stronger encryption than the target system. For OS/400® V5R2 and OS/400 V5R3 the only cryptographic access provider available is 5722–AC3, which is the strongest product available. However, in earlier releases, you were able to install other, weaker cryptographic access provider products (5722–AC1, or 5722–AC2) that provided lower levels of cryptographic function When you export the certificate (with its private key), the system encrypts the file to protect its contents. If the system uses a stronger cryptographic product than the target system, the target system cannot decrypt the file during the import process. Consequently, the import may fail or the certificate may not be usable for establishing SSL sessions. This is true even if you use a key size for the new certificate that is appropriate for use with the cryptographic product on the target system.

You can use your local CA to issue certificates to other systems, which you can then use for signing objects or have applications use for establishing SSL sessions. When you use the local CA to create a certificate for use on another system, the files that DCM creates contain a copy of the local CA certificate, as well as copies of certificates for many public Internet CAs.

The tasks that perform in DCM vary slightly depending on which type of certificate that your local CA issues and the release level and conditions on the target system.

Issue private certificates for use on another System i model

To use your local CA to issue certificates for use on another system, perform these steps on the system that hosts the local CA:

  1. Start DCM. Refer to Starting DCM.

  2. In the navigation frame, select Create Certificate to display a list of certificate types that you can use your local CA to create.

    You do not need to open a certificate store to complete this task. These instructions assume either that you are not working within a specific certificate store or that you are working within the local Certificate Authority (CA) certificate store. A local CA must exist on this system before you can perform these tasks. If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.

  3. Select the type of certificate that you want the local CA to issue, and click Continue to start the guided task and complete a series of forms.

  4. Select either to create a server or client certificate for another System i (for SSL sessions), or an object signing certificate for another System i (for use on another system).

    If you are creating an object signing certificate for another system to use, that system must be running OS/400 V5R1 or later version to use the certificate. Because the target system must be at OS/400 V5R1 or later, DCM on the local host system does not prompt you to select a target release format for the new object signing certificate.

  5. Complete the form and click Continue to display a confirmation page.

    If there is an existing *OBJECTSIGNING or *SYSTEM certificate store on the target system, be sure to specify a unique certificate label and unique file name for the certificate. Specifying a unique certificate label and file name ensures that you can easily import the certificate into the existing certificate store on the target system. This confirmation page displays the names of the files that DCM created for you to transfer to the target system. DCM creates these files based on the release level of the target system that you specified. DCM automatically puts a copy of the local CA certificate into these files.

    DCM creates the new certificate in its own certificate store and generates two files for you to transfer: a certificate store file (.KDB extension) and a request file (.RDB extension).

  6. Use binary File Transfer Protocol (FTP) or another method to transfer the files to the target system.

  • Using a private certificate for SSL
    You manage the certificates that your applications use for SSL sessions from the *SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage certificates for SSL, then this certificate store will not exist on the target system.

  • Using a private certificate for signing objects on a target system
    You manage the certificates that you use for signing objects from the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage object signing certificates, then this certificate store will not exist on the target system.

 

Parent topic:

Managing DCM

Related concepts
Backup and recovery considerations for DCM data Public certificates versus private certificates