You can use Digital Certificate Manager (DCM) to manage public Internet certificates for
your applications to use for establishing secure communications sessions with Transport Layer
Security (TLS).
If you do not use DCM to operate your own local Certificate Authority (CA), you must first
create the appropriate certificate store for managing the public certificates that you use for TLS.
This is the *SYSTEM certificate store. When you create a certificate store, DCM takes you through
the process of creating the certificate request information that you must provide to the public CA
to obtain a certificate.
To use DCM to manage and use public Internet certificates so that your applications can establish
TLS communications sessions, follow these steps:
- Start DCM. Refer to Starting DCM.
In the navigation frame of DCM, select Create Certificate
Store.![End of change](./deltaend.gif)
Select *SYSTEM as the certificate store, fill the
Password
and Confirm Password
fields, and click
Create.![End of change](./deltaend.gif)
- From the Certificates pane, select Create to start the create
certificate form.
- Select Internet CA as the signer of the new certificate, complete
the create certificate form, and click Create.
Note: If your system has an IBM® Cryptographic Coprocessor installed and varied on, DCM allows you to select how to store
the private key for the certificate. If your system does not have a coprocessor, DCM automatically
places the private key in the *SYSTEM certificate store. If you need help with selecting how to
store the private key, see the online help in DCM.
- Click Copy to have the CSR placed into your buffer. Paste the CSR
data into the certificate application form, or into separate file, that the public CA requires for
requesting a certificate. You must use all the CSR data, including both the Begin and End New
Certificate Request lines. When you exit this page, the data is lost and you cannot recover it. Send
the application form or file to the CA that you have chosen to issue and sign your
certificate.
Note: You must wait for the CA to return the signed, completed certificate before you can finish
this procedure.
To use certificates with the HTTP Server for your system, you must create and configure your Web
server before working with DCM to work with the signed completed certificate. When you configure a
Web server to use TLS, an application ID is generated for the server. You must make a note of this
application ID so that you can use DCM to specify which certificate this application must use for
TLS.
- After the public CA returns your signed certificate, start DCM. Refer to Starting DCM.
In the navigation frame, click Open Certificate
Store and select *SYSTEM as the certificate store to open.
![End of change](./deltaend.gif)
When the Open Certificate Store page displays,
provide the password that you specified for the certificate store when you created it and click
Open.
![End of change](./deltaend.gif)
The list of certificates only includes Server and Client certificates by
default. Modify the filter or click on the x Server/Client Certificate button
to remove the Server/Client Certificate filter.![End of change](./deltaend.gif)
If the root CA certificate that is associated with your signed
certificate is not in the certificate store, select Populate With CAs to
select and add the root and intermediate CA certificates that are associated with the signed
certificate. Select Back when done populating with CA
certificates.![End of change](./deltaend.gif)
The certificate to import must reside in the Integrated File System (IFS).
From left navigation pane, select Upload Certificate.![End of change](./deltaend.gif)
Select the button to browse and select the file residing on your local
machine.![End of change](./deltaend.gif)
Select Upload to copy the file to the Upload
directory.![End of change](./deltaend.gif)
From left navigation pane, select *SYSTEM to manage
certificates in the *SYSTEM certificate store.![End of change](./deltaend.gif)
Select Import to begin the process of importing the
signed certificate into the *SYSTEM certificate store.![End of change](./deltaend.gif)
Select Server or Client for the certificate
type.![End of change](./deltaend.gif)
Select Browse Uploads and choose the certificate
that was uploaded for import and click Select.![End of change](./deltaend.gif)
Select Continue, fill the form if one is presented,
and select Import to complete the import process.![End of change](./deltaend.gif)
After you finish importing the certificate, you can specify the
applications that must use it for TLS communications. Expand the actions of the certificate tile by
clicking + and select Assign.
![End of change](./deltaend.gif)
Select the applications from the list and click
Add. A message displays with either a confirmation for your assignment
selection or an error message if a problem occurred.
Note: Some TLS-enabled applications support client authentication based on certificates. If you want
an application with this support to more narrowly define the CA certificates that it trusts from the
list of enabled CA certificates in the *SYSTEM certificate store, you must
define a CA trust list for the application
and select CAs from the *SYSTEM store to trust. This trust list ensures that the application can
validate only those certificates from CAs that you specify as trusted. If a client application
presents a certificate from a CA that is not specified as trusted in the CA trust list, the
application does not accept it as a basis for valid authentication. If a CA trust list is not
defined, all enabled CA certificates in the *SYSTEM certificate store are trusted.
![End of change](./deltaend.gif)
When you finish the guided task, you have everything that you need to begin configuring your
applications to use TLS for secure communications. Before users can access these applications
through an TLS session, they must have a copy of the CA certificate for the CA that issued the
server certificate. If your certificate is from a well-known Internet CA, your users' client
software may already have a copy of the necessary CA certificate. If users need to obtain the CA
certificate, they must access the Web site for the CA and follow the directions the site
provides.