Storing certificate keys on an IBM Cryptographic Coprocessor

 

Review this information to learn how to use an installed coprocessor to provide more secure storage for your certificates' private keys.

If you have installed an IBM® Cryptographic Coprocessor on your system, you can use the coprocessor to provide more secure storage for a certificate's private key. You can use the coprocessor to store the private key for a server certificate, a client certificate, or a local Certificate Authority (CA) certificate. However, you cannot use the coprocessor for storing a user certificate private key because this key must be stored on the user's system. Also, you cannot use the coprocessor to store the private key for an object signing certificate at this time.

You can use the coprocessor for certificate private key storage in one of two ways:

You can select this key storage option as part of the process of creating or renewing a certificate. Also, if you use the coprocessor to store a certificate's private key, you can change the coprocessor device assignment for that key.

To use the coprocessor for private key storage, ensure that the coprocessor is varied on before using Digital Certificate Manager (DCM). Otherwise, DCM will not provide a page for selecting a storage option as part of the certificate creation or renewal process.

If you are creating or renewing a server or client certificate, you select the private key storage option after you select the type of CA that is signing the current certificate. If you are creating or renewing a local CA, you select the private key storage option as the first step in the process.

 

Parent topic:

Managing DCM

Related concepts
IBM Cryptographic Coprocessors for System i

Related information
Cryptography overview