Managing public Internet certificates for TLS communications sessions

Edit online

You can use Digital Certificate Manager (DCM) to manage public Internet certificates for your applications to use for establishing secure communications sessions with Transport Layer Security (TLS).

If you do not use DCM to operate your own local Certificate Authority (CA), you must first create the appropriate certificate store for managing the public certificates that you use for TLS. This is the *SYSTEM certificate store. When you create a certificate store, DCM takes you through the process of creating the certificate request information that you must provide to the public CA to obtain a certificate.

To use DCM to manage and use public Internet certificates so that your applications can establish TLS communications sessions, follow these steps:

Start DCM. Refer to Starting DCM.
In the navigation frame of DCM, select Create Certificate Store.
Select *SYSTEM as the certificate store, fill the Password and Confirm Password fields, and click Create.
From the Certificates pane, select Create to start the create certificate form.
Select Internet CA as the signer of the new certificate, complete the create certificate form, and click Create.

Note: If your system has an IBM® Cryptographic Coprocessor installed and varied on, DCM allows you to select how to store the private key for the certificate. If your system does not have a coprocessor, DCM automatically places the private key in the *SYSTEM certificate store. If you need help with selecting how to store the private key, see the online help in DCM.
Click Copy to have the CSR placed into your buffer. Paste the CSR data into the certificate application form, or into separate file, that the public CA requires for requesting a certificate. You must use all the CSR data, including both the Begin and End New Certificate Request lines. When you exit this page, the data is lost and you cannot recover it. Send the application form or file to the CA that you have chosen to issue and sign your certificate.

Note: You must wait for the CA to return the signed, completed certificate before you can finish this procedure.

To use certificates with the HTTP Server for your system, you must create and configure your Web server before working with DCM to work with the signed completed certificate. When you configure a Web server to use TLS, an application ID is generated for the server. You must make a note of this application ID so that you can use DCM to specify which certificate this application must use for TLS.
After the public CA returns your signed certificate, start DCM. Refer to Starting DCM.
In the navigation frame, click Open Certificate Store and select *SYSTEM as the certificate store to open.
When the Open Certificate Store page displays, provide the password that you specified for the certificate store when you created it and click Open.
The list of certificates only includes Server and Client certificates by default. Modify the filter or click on the x Server/Client Certificate button to remove the Server/Client Certificate filter.
If the root CA certificate that is associated with your signed certificate is not in the certificate store, select Populate With CAs to select and add the root and intermediate CA certificates that are associated with the signed certificate. Select Back when done populating with CA certificates.
The certificate to import must reside in the Integrated File System (IFS). From left navigation pane, select Upload Certificate.
Select the button to browse and select the file residing on your local machine.
Select Upload to copy the file to the Upload directory.
From left navigation pane, select *SYSTEM to manage certificates in the *SYSTEM certificate store.
Select Import to begin the process of importing the signed certificate into the *SYSTEM certificate store.
Select Server or Client for the certificate type.
Select Browse Uploads and choose the certificate that was uploaded for import and click Select.
Select Continue, fill the form if one is presented, and select Import to complete the import process.
After you finish importing the certificate, you can specify the applications that must use it for TLS communications. Expand the actions of the certificate tile by clicking + and select Assign.
Select the applications from the list and click Add. A message displays with either a confirmation for your assignment selection or an error message if a problem occurred.

Note: Some TLS-enabled applications support client authentication based on certificates. If you want an application with this support to more narrowly define the CA certificates that it trusts from the list of enabled CA certificates in the *SYSTEM certificate store, you must define a CA trust list for the application and select CAs from the *SYSTEM store to trust. This trust list ensures that the application can validate only those certificates from CAs that you specify as trusted. If a client application presents a certificate from a CA that is not specified as trusted in the CA trust list, the application does not accept it as a basis for valid authentication. If a CA trust list is not defined, all enabled CA certificates in the *SYSTEM certificate store are trusted.

When you finish the guided task, you have everything that you need to begin configuring your applications to use TLS for secure communications. Before users can access these applications through an TLS session, they must have a copy of the CA certificate for the CA that issued the server certificate. If your certificate is from a well-known Internet CA, your users' client software may already have a copy of the necessary CA certificate. If users need to obtain the CA certificate, they must access the Web site for the CA and follow the directions the site provides.