Once you decide to use certificates, you should choose the type of certificate implementation that best suits your security needs. Your choices include:
Internet CAs
Internet CAs issue certificates to anyone who pays the necessary fee. However, an Internet CA still requires proof of identity before it issues a certificate. This level of proof varies, though, depending on the CA. You should consider the identification policy of the CA before deciding to trust the certificates that it issues.
You must also consider the cost associated with using an Internet CA to issue certificates. This particularly important if there are many users who expect your company to reimburse them for the fees. Still another disadvantage is the difficulty of setting up your systems to limit access to a subset of users with a certificate from a large CA.
Advantages of using an Internet CA to issue certificates saves time and resources by using an existing well-known CA. Further, other companies tend to recognize and trust certificates that are created by an Internet CA more than those that you create privately.
Using private (local) certificates
If you create your own CA, you can issue certificates to systems and users within a more limited scope, such as within your company or organization. Creating and maintaining your own CA allows you to issue certificates only to those users who are trusted members of your group. This provides better security because you can control who has certificates, and therefore who has access to your resources, more stringently. A potential disadvantage of maintaining your own CA is the amount of time and resources that you must invest. However, Digital Certificate Manager makes this process easier for you.
| Note: | No matter which CA is used, the system administrator controls which issuing CA should be trusted on his system. If a copy of a certificate for a well-known CA can be found in your browser, your browser can be set to trust server certificates that were issued by that CA. However, if that CA certificate is not in your *SYSTEM certificate store, your server will not trust user certificates that were issued by that CA. To trust user certificates that are issued by a CA, you need to get a copy of the CA certificate from the CA. It must be in the correct file format and you must receive that certificate into your certificate store. |
You may find it helpful to review some examples before you decide how you want to use certificates.
Based on how you decide to use certificates, you can use Digital Certificate Manager to put your plan into action:
Acting as your own CA describes the tasks you must perform should you choose to issue your own certificates..
Using an Internet CA to issue certificates describes the tasks you must perform to use certificates from a well-known CA.
Creating and exporting a CA to another system describes the tasks you must perform if you want to use a DCM local CA on more than one system..
| [ Information Center Home Page | Feedback ] | [ Legal | AS/400 Glossary ] |