Appendix C: Adding a Client Certificate to an External Key Manager
A Client Certificate is required when using KMIP. Use the following instructions (for External Key Manager you are using) to create and add a Client Certificate.
IBM Security Key Lifecycle Manager (SKLM)
- Create a Client Certificate in the Digital Certificate Manager (DCM) and Export the Certificate Authority. See Appendix D: Creating a Certificate using the Digital Certificate Manager (DCM) for details.
NOTE:
You may need to convert the certificate file and its contents to ASCII:
dd conv=ascii if=PWR742_CA.crt of=PWR742_CA_ascii.crt
You may need to convert the certificate file and its contents to ASCII:
dd conv=ascii if=PWR742_CA.crt of=PWR742_CA_ascii.crt
- Send the Certificate Authority to the person in charge of the SKLM server so they can import the certificate and associate it with your user id.
- In the Digital Certificate Manager, create an Application that points to the Certificate.
- Enter the Application ID in the External Key Manager entry.
Safenet
- Create and export a Certificate request in the Digital Certificate Manager (DCM). The user ID that is created for you on the Safenet server must be in the Common name of the certificate. See Appendix D for details.
- Send the certificate request to the Safenet server.
- Have the person responsible for the Safenet server sign the certificate with a CA certificate on the Safenet machine , export the signed request from the server, and send it to you.
- Import the newly signed certificate. Server or Client.
- In the Digital Certificate Manager, create an application that points to the Certificate.
- Enter the Application ID in the External Key Manager entry.
Also, export the CA certificate that was used to sign the certificate. The CA certificate needs to be installed on the Digital Certificate Manager (DCM) first, before the Certificate Response.