Information Center

Using a server certificate from an unknown CA

An unknown CA is a CA that is not already defined in the key database or in CustomizedCAs.class. To obtain and use a certificate issued by an unknown CA:

  1. Create a certificate request.
  2. Submit the request to a CA.
  3. When you have received the server and root certificates from the CA, store them in the key database. The root certificate may be sent to you with the server certificate but you can often get it from the CA's Web site.
  4. Make the certificate available to clients.

After creating and submitting a certificate request to a CA, you can create a self-signed certificate to use while you wait to receive the CA's certificate.

Creating a certificate request

To create the certificate request:

  1. On Windows, use a trusted open source Certificate Management tool.
  2. On an AIX server, enter CertificateManagement from a command prompt. The default location of the AIX script is /opt/HCL/ZIEForWeb/bin. Please refer to Running Certificate Management on AIX.
  3. Follow the instructions in the Help to create the certificate request.
  4. Exit Certificate Management.

When a certificate expires, follow the renewal procedures specified by the CA for that certificate.

Sending the certificate request to the CA

Start a browser and type the URL of the CA from whom you want to obtain the certificate, then follow the instructions to request the certificate.

Depending on the CA you choose, you can either e-mail the certificate request or incorporate it into the form or file provided by the CA. At the same time, ask for the CA's root certificate, though you can often get this directly from the Web site.

While you are waiting for the CA to process your certificate request, you can create a self-signed root certificate to use temporarily.

Storing the certificates in the key database

When you receive the certificates, make sure that they are in armored-64 or binary DER format. Only certificates in these formats can be stored in the key database. The Certificate Management program can only accept simple certificates. It cannot accept certificate chains or PKCS7 data. The armored-64 form of a simple certificate starts with "----BEGIN CERTIFICATE----" and ends with "----END CERTIFICATE----".

Use Certificate Management to store certificates in the key database. You must store the root certificate before you store the server certificate because the root certificate is used to validate the server certificate.

  1. On Windows, use any open source Certificate Management tool.
  2. On an AIX server, enter CertificatedManagement from a command prompt. The default location of the AIX script is /opt/HCL/ZIEForWeb/bin. Refer to Running Certificate Management on AIX for additional information.
  3. Follow the steps in the Help to store the certificate.
  4. Exit Certificate Management.

Related topic: