PKI Services for z/OS

Overview: Frequently Asked Questions [FAQs]

When should I consider using Elliptic Curve Cryptography (ECC) keys and RSA keys for certificates?

RSA is a long-established standard in asymmetric cryptography. Certificates using RSA keys are accepted by virtually all service providers and web browsers.

ECC is a newer standard and provides the equivalent security of large RSA keys with smaller key sizes. Larger ECC keys give a level of security that cannot be matched by the largest RSA keys. ECC is widely endorsed, but some service providers and web browsers have yet to provide support for this standard.

How do I choose between the hash algorithms that PKI Services supports for signing?

The choice of hash algorithm depends largely upon the size of the public key used in the CA certificate. The following chart offers some general guidance for picking an appropriate hash algorithm.

Size of ECC Key Size of RSA Key Suggested Hash Algorithm
  < 2048 bit SHA-1
160, 192, 224, 256, and 320 bit >= 2048 bit SHA-256
384 bit   SHA-384
512 and 521 bit   SHA-512

 

Why does PKI Services require me to start two instances of the HTTP server?

The two instances are required because two modes of SSL are required. (SSL without client authentication for requesting new certificates and SSL with client authentication for renewing or revoking existing certificates.) Unfortunately, you cannot have these two modes of SSL using only one instance of the HTTP server.

I've already purchased a certificate from a commercial certificate authority and have my z/OS HTTP server configured for SSL. Can I continue to use this webserver setup for PKI Services?

Absolutely. The setup exec (IKYSETUP) gives you an option for this.

I already have a CA certificate in RACF that I'm using to sign certificates. Can I continue to use that for PKI Services?

In most cases, yes. The setup exec (IKYSETUP) gives you an option for this. You just have to make sure that the subject's distinguished name you picked for your CA has a suffix that matches the LDAP suffix you are using.

Why does PKI Services require an LDAP directory? What is it used for?

PKI Services publishes information to an LDAP directory so that it may be retrieved by other distributed applications. This information includes the certificates issued by PKI Services, the PKI Services CA certificate, and certificate revocation information.

All I intend to use PKI Services for is to issue server certificates to be used within my intranet. Do I really need LDAP for this?

Yes. While you may not have a need to publish these certificates to LDAP, the revocation information still needs to be published.

I don't want to set up LDAP. Isn't there a way to configure PKI Services to not use LDAP?

While this is not recommended, the LDAP processing in PKI Services can be disabled by setting NumServers=0 in the [LDAP] section of the PKI Services configuration file. Understand that by doing so, you lose the ability to revoke certificates as the revocation information can no longer be published.

I successfully requested, retrieved, and revoked a test browser certificate as recommended before customization. Now I keep seeing message IKYP008E. What's that all about?

This is not a problem, at least not a serious one. The uncustomized certificate templates create certificates where the subject distinguished name suffix doesn't match the LDAP suffix you are using. Thus the certificate cannot be posted to LDAP. PKI Services will continue to attempt to post this certificate for one week before discarding it. If you wish to have this information discarded sooner, following the recommendations listed under message IKYP008E in the PKI Services Guide and Reference for setting RetryMissingSuffix=F.

When I request a server certificate, the web page expects me to supply a Base64 encoded PKCS#10 certificate request. Where do I get that?

The PKCS#10 certificate request contains the subject's name and subject's public key that will be used to create the server certificate. The certificate request is created by the server that is requesting the certificate. The procedure for creating and obtaining the certificate request varies from server to server and cannot be described here. Consult your server documentation for more information.

Contact IBM

Browse z/OS