Using an Internet CA to issue certificates

After careful review of your security needs and policies you have decided that you want to use certificates from a public Internet Ceritificate Authority such as VeriSign. For example, you operate a publicly available web site and want to use SSL to ensure the privacy of certain information transactions. You can now use Digital Certificate Manager to centrally manage these certificates and to configure your system to use them .

Note:If you intend to use certificates with the HTTP Web Server for AS/400, you should create and configure your web server instance. This should be done prior to starting DCM. When you configure a web server instance to use SSL, an application ID is generated for the server instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the server instance until you use DCM to assign a certificate to the server instance.
Note:If you end and restart the *ADMIN instance of the web server prior to assigning a certificate to it, the server will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate.

To use DCM to manage and use public Internet certificates, complete these tasks:

  1. Start a DCM session.
  2. In the left-hand navigation frame of DCM, select System certificates to display a list of available tasks. A window will open requesting your password, click on cancel. When you have created your certificate store you will also assign a password for future use.
    Note:f you have questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help.
  3. Select Create a new certificate store from the task list.. This displays a page which allows you to designate the type of Certificate Authority that you want to use. (You create a system certificate as part of creating the new certificate store.)
  4. Choose the option for using a well-known CA to issue the certificate and select OK. A form for creating a system certificate displays.
  5. Complete the form.
    Note:To be able to use DCM to work with your certificates you must designate *SYSTEM for the certificate store in the Certificate store path and file name field.
    In the Certificate store path and file name field, the default is *SYSTEM.
  6. Click OK. DCM displays a page which contains a text string. This text string is an encrypted copy of the public key for your system certificate. (DCM stores the private key in the new certificate store.) You use this text string in the certificate application form required by most Internet CAs.
  7. Copy the entire text string into your certificate application, including the start of file and end of file text..
    Note:Be careful when you do the copy and paste. This is the only copy of the certificate request data. If you exit this page of your browser, you lose the certificate request data. You must perform the Create a system certificate task again to create a new certificate request. If you wish to save a copy of the request data, copy and paste the data into a file.
  8. Send the application to the CA that you selected.
    Note:You must wait for the CA to return the verified completed certificate before you can finish this procedure.
  9. After the CA returns your verified certificate, you restart DCM.
  10. Select receive the certificate from the System Certificates list in the left-hand navigation frame. This displays a form that allows you to load the completed certificate into the *SYSTEM certificate store.
  11. Complete the form.
  12. Select Work with secure applications from the System Certificates list. This displays a page that allows you to manage the certificates associated with specific applications. From this page you should perform these tasks:
    1. Select the applications that should use the new certificate for SSL communications.
    2. Ensure that these applications trust the CA that issued the certificate.

With these tasks complete, you have successfully managed the certificates for your applications. However, before you can begin using SSL for these applications, you must secure the applications by configuring them to use SSL. for each application.

Before a user can access the selected applications through an SSL connection, the user must obtain a copy of the CA certificate. The CA certificate must be copied to a file on the user's PC or downloaded into the user's browser, depending on the requirements of the SSL-enabled application.

Users must access the public website for the Internet CA and follow the directions provided for obtaining a copy of the CA certificate.

[ Information Center Home Page | Feedback ] [ Legal | AS/400 Glossary ]