You obtain a digital certificate by sending information to a CA. The X.509 standard defines a format for this information, but some CAs have their own format. Certificate requests are usually generated by the certificate management tool your system uses, for example the iKeyman tool on UNIX(R) systems and RACF(R) on z/OS(R). The information comprises your Distinguished Name and is accompanied by your public key. When your certificate management tool generates your certificate request, it also generates your private key, which you must keep secure. Never distribute your private key.
When the CA receives your request, the authority verifies your identity before building the certificate and returning it to you as a personal certificate.
You obtain your personal certificate from a Certification Authority (CA).
When you obtain a certificate from a trusted external CA, you pay for the service. When you are testing your system, or you need only to protect internal messages, you can create self-signed certificates. These are created and signed by the certificate management tool your system uses. Self-signed certificates cannot be used to authenticate certificates from outside your organization.
Figure 5 illustrates the process of obtaining a digital certificate from a CA.
When you receive the certificate for another entity, you might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path, is a list of certificates used to authenticate an entity. The chain, or path, begins with the certificate of that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified until the root CA certificate is reached. Figure 6 illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.
Digital certificates are issued for a fixed period and are not valid after their expiry date. Certificates can also become untrustworthy for various reasons, including:
A Certification Authority can revoke a certificate that is no longer trusted by publishing it in a Certificate Revocation List (CRL). For more information, refer to Working with Certificate Revocation Lists and Authority Revocation Lists.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
dcwork |