Universal Certificate Usage
Overview
Universal Certificate performs the following operations, as specified by command line configuration options:
- Create RSA/ECDSA certificates, certificate requests, private keys, certificate revocation lists (CRLs), and PKCS#12-encoded transport files.
- Print certificates, certificate requests, CRLs, and PKCS#12-encoded transport files.
- Verify certificates
The following sections describe each of these operations.
Certificate
A certificate is an electronic object use for identification purposes. A certificate identifies a person or computer system, as well as the party that issued the certificate. Certificates are issued by Certificate Authorities (CAs). A certificate only can be trusted if the CA that issued the certificate is trusted.
A certificate is created using the following input:
- Certificate request: Identifies the person / computer system for which the certificate is to be issued.
- CA certificate: Identifies the Certificate Authority (CA) that is issuing the certificate.
- CA private key: Signs (digitally) the certificate.
Certificate Requests
A certificate request is a request for a CA to issue a certificate. A certificate request contains all of the information required to identify a user / computer system.
The certificate request is saved in a file that is sent to a CA. The CA is responsible for verifying the information in the request and creating the final certificate based on that information.
When a certificate request is created, its corresponding private key also is created. The private key is written to a file and must remain private. File system security must be used to prevent unauthorized access to the private key file. Additionally, the private key can be protected with a password.
Certificate requests are encoded in Public-Key Cryptography Standards (PKCS) #10 syntax. Private keys are encoded in PKCS #8 syntax.
Certificate Revocation List
A Certificate Revocation List (CRL) is created by the Certificate Authority (CA). The list includes all certificates issued by the CA that subsequently have been revoked by the CA for some reason. The CRL is signed by the issuing CA.
A CRL is used as part of the certificate verification process to ensure that a certificate still is valid.
Transport Files
A transport file is a PKCS #12-encoded file generated by Universal Certificate in order to securely transfer a user's certificate and private key across systems.
Many applications that manage digital certificates - including RACF on z/OS and the Certificate Management add-in for the Microsoft Management Console application on Windows - can import a user's certificate using a transport file.
Universal Certificate also can extract certificate and private key information from PKCS #12-encoded transport files created by other applications. Command line options allow this extracted information to be stored in local files. If a CA's certificate - or the CA certificate chain - was added to the transport file, Universal Certificate can extract it as well.
Printing
Certificates, certificate requests, and transport files are saved in encoded files that are not easily readable (by people). However, they can be printed in text format.
Verification
Certificate verification is the process of verifying that a certificate is valid.
The certificate process consists of
- Verifying that the certificate is issued by a trusted CA.
- Verifying that the certificate is not revoked by the CA.
File Formats
Certificates, certificate requests, and private keys are stored in files.
The following file formats are supported:
- Privacy Enhanced Mail (PEM)
PEM is the format described in RFCs 1421-1424. PEM is a base64 encoding with header and trailer lines added to identify the contents. PEM is a text format suitable for email and text file transfers. - Distinguished Encoding Rules (DER)
DER is an encoding rule based on the Abstract Syntax Notation 1 (ASN.1) specification. DER is a binary file format. When transferred across a network, it must be transferred in a binary or image mode.
All certificates and keys are encoded in an ASN.1 format. The PEM format is a text representation of the DER format.
Note
Universal Certificate supports only the DER format for PKCS #12-encoded transport files.
z/OS
PEM- and DER-formatted files can be written either to a member of a partitioned data set or a sequential data set. The record format must be variable or variable blocked. The record length must be at least 80.
Universal Certificate Database
Universal Certificate uses a database to maintain issued and revoked certificates. The database is required for certificate creation, certificate revocation, and CRL creation.
There is a one-to-one correspondence between a CA and a certificate database. That is, a unique database must be used for each CA, and each CA should use only one database.
The database is a very important element in maintaining a CA. Consequentially, it must be properly managed. The database must be secured from unauthorized updates and routinely backed up. The database is a regular text file.
UNIX | The database file name is specified with the CERT_DB option. If CERT_DB is not used, the database is created in the current working directory with name ucert.db. |
---|---|
Windows | The database file name is specified with the CERT_DB option. If CERT_DB is not used, the database is created in the current working directory with name ucert.db. |
z/OS | The database is allocated to ddname UNVDB. The database allocation attributes are DSORG=PS, RECFM={FB | F}, and LRECL=1120. The block size must be a multiple of LRECL if RECFM is FB. |