Creating and operating a local certificate authority on the MyCo system

 

This scenario assumes that MyCo has not used Digital Certificate Manager (DCM) previously to set up certificates for its system. Based on the objectives for this scenario, MyCo has chosen to create and operate a local certificate authority (CA) to issue a certificate to the File Transfer Protocol (FTP) server.

Instead of creating and operating a local CA, MyCo can also use DCM to configure the FTP server to use a public certificate for SSL.

When using DCM to create a local CA, you are guided through a process that ensures you configure everything needed to enable Secure Sockets Layer (SSL).

MyCo uses the following steps to create and operate a local CA on its system, using the DCM:

  1. Start IBM® DCM. If you need to obtain or create certificates, or set up or change your certificate system, do so now.

  2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to display a series of forms. These forms guide you through the process of creating a local CA and completing other tasks needed to begin using digital certificates for SSL, object signing, and signature verification.

  3. Complete all the forms that display. There is a form for each of the tasks required to create and operate a local CA on the system.

    1. Choose how to store the private key for the local CA certificate. This step is included only if you have an IBM 4758-023 PCI Cryptographic Coprocessor installed on your system. If your system does not have a cryptographic coprocessor, DCM automatically stores the certificate and its private key in the local CA certificate store.
    2. Provide identifying information for the local CA.
    3. Install the local CA certificate on your PC or in your browser. This enables software to recognize the local CA and validate certificates that the CA issues.
    4. Choose the policy data for your local CA.
    5. Use the new local CA to issue a server or client certificate that applications can use for SSL connections. If you have an IBM 4758-023 PCI Cryptographic Coprocessor installed in the system, you can select how to store the private key for the server or client certificate. If your system does not have a coprocessor, DCM automatically places the certificate and its private key in the *SYSTEM certificate store. DCM creates the *SYSTEM certificate store as part of this task.
    6. Select the applications that can use the server or client certificate for SSL connections.

      Be sure to select the application ID for the i5/OS® TCP/IP FTP server (QIBM_QTMF_FTP_SERVER).

    7. Use the new local CA to issue an object signing certificate that applications can use to digitally sign objects. This creates the *OBJECTSIGNING certificate store, which you use to manage object signing certificates.

      Although this scenario does not use object signing certificates, be sure to complete this step. If you cancel at this point in the task, the task ends and you need to perform separate tasks to complete your SSL certificate configuration.

    8. Select the applications that you want to trust the local CA.

      Be sure to select the application ID for the i5/OS TCP/IP FTP server (QIBM_QTMF_FTP_SERVER).

 

Parent topic:

Configuration details