Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
Table of Contents


Overview

Anchor
1100067
1100067
Universal Certificate performs the following operations, as specified by command line configuration options:

  • Create RSA/ECDSA certificates, certificate requests, private keys, certificate revocation lists (CRLs), and PKCS#12-encoded transport files.
  • Print certificates, certificate requests, CRLs, and PKCS#12-encoded transport files.
  • Verify certificates

Anchor
1100071
1100071
The following sections describe each of these operations.

Anchor
1100073
1100073
Certificate

Anchor
1100074
1100074
A certificate is an electronic object use for identification purposes. A certificate identifies a person or computer system, as well as the party that issued the certificate. Certificates are issued by Certificate Authorities (CAs). A certificate only can be trusted if the CA that issued the certificate is trusted.

Anchor
1100075
1100075
A certificate is created using the following input:

  • Certificate request: Identifies the person / computer system for which the certificate is to be issued.
  • CA certificate: Identifies the Certificate Authority (CA) that is issuing the certificate.
  • CA private key: Signs (digitally) the certificate.

Anchor
1100080
1100080
Certificate Requests

Anchor
1100081
1100081
A certificate request is a request for a CA to issue a certificate. A certificate request contains all of the information required to identify a user / computer system.

Anchor
1100082
1100082
The certificate request is saved in a file that is sent to a CA. The CA is responsible for verifying the information in the request and creating the final certificate based on that information.

Anchor
1100083
1100083
When a certificate request is created, its corresponding private key also is created. The private key is written to a file and must remain private. File system security must be used to prevent unauthorized access to the private key file. Additionally, the private key can be protected with a password.

Anchor
1100084
1100084
Certificate requests are encoded in Public-Key Cryptography Standards (PKCS) #10 syntax. Private keys are encoded in PKCS #8 syntax.

Anchor
1100087
1100087
Certificate Revocation List

Anchor
1100088
1100088
A Certificate Revocation List (CRL) is created by the Certificate Authority (CA). The list includes all certificates issued by the CA that subsequently have been revoked by the CA for some reason. The CRL is signed by the issuing CA.

Anchor
1100089
1100089
A CRL is used as part of the certificate verification process to ensure that a certificate still is valid.

Anchor
1100092
1100092
Transport Files

Anchor
1100093
1100093
A transport file is a PKCS #12-encoded file generated by Universal Certificate in order to securely transfer a user's certificate and private key across systems.

Anchor
1100094
1100094
Many applications that manage digital certificates - including RACF on z/OS and the Certificate Management add-in for the Microsoft Management Console application on Windows - can import a user's certificate using a transport file.

Anchor
1100095
1100095
Universal Certificate also can extract certificate and private key information from PKCS #12-encoded transport files created by other applications. Command line options allow this extracted information to be stored in local files. If a CA's certificate - or the CA certificate chain - was added to the transport file, Universal Certificate can extract it as well.

Anchor
1100097
1100097
Printing

Anchor
1100098
1100098
Certificates, certificate requests, and transport files are saved in encoded files that are not easily readable (by people). However, they can be printed in text format.

Anchor
1100100
1100100
Verification

Anchor
1100101
1100101
Certificate verification is the process of verifying that a certificate is valid.

Anchor
1100102
1100102
The certificate process consists of

  1. Verifying that the certificate is issued by a trusted CA.
  2. Verifying that the certificate is not revoked by the CA.

Anchor
File Formats
File Formats
File Formats

Anchor
1100108
1100108
Certificates, certificate requests, and private keys are stored in files.

Anchor
1100109
1100109
The following file formats are supported:

  • Privacy Enhanced Mail (PEM)
    PEM is the format described in RFCs 1421-1424. PEM is a base64 encoding with header and trailer lines added to identify the contents. PEM is a text format suitable for email and text file transfers.
  • Distinguished Encoding Rules (DER)
    DER is an encoding rule based on the Abstract Syntax Notation 1 (ASN.1) specification. DER is a binary file format. When transferred across a network, it must be transferred in a binary or image mode.

Anchor
1100112
1100112
All certificates and keys are encoded in an ASN.1 format. The PEM format is a text representation of the DER format.

Note
titleNote

Universal Certificate supports only the DER format for PKCS #12-encoded transport files.

...

Info
titlez/OS

PEM- and DER-formatted files can be written either to a member of a partitioned data set or a sequential data set. The record format must be variable or variable blocked. The record length must be at least 80.

Anchor
1100121
1100121
Universal Certificate Database

Anchor
1100122
1100122
Universal Certificate uses a database to maintain issued and revoked certificates. The database is required for certificate creation, certificate revocation, and CRL creation.

Anchor
1100123
1100123
There is a one-to-one correspondence between a CA and a certificate database. That is, a unique database must be used for each CA, and each CA should use only one database.

Anchor
1100124
1100124
The database is a very important element in maintaining a CA. Consequentially, it must be properly managed. The database must be secured from unauthorized updates and routinely backed up. The database is a regular text file.


UNIX

The database file name is specified with the CERT_DB

option

 option. If CERT_DB

is

 is not used, the database is created in the current working directory with name ucert.db.

Windows

The database file name is specified with the CERT_DB

option

 option. If CERT_DB

is

 is not used, the database is created in the current working directory with name ucert.db.

z/OS

The database is allocated to ddname UNVDB. The database allocation attributes are DSORG=PS, RECFM={FB | F}, and LRECL=1120. The block size must be a multiple of LRECL if RECFM is FB.

...