z/OS V1.13 includes the following enhancements for PKI Services:
- PKI Services can now use a hardware Elliptic Curve Cryptography (ECC) certificate as the Certificate Authority (CA) certificate.
- DB2 can now be used to provide the back-end storage for the PKI Services issued certificate list (ICL) and object storage.
- Customers who expect to issue and manage a large number of certificates can now exploit the relilability and scalability of DB2 to store and manage their certificates.
- New utilities are provided to help existing PKI Services customers migrate their existing VSAM back-end storage to DB2.
- Browser Support Enhancements
- PKI Services now permits users of Mozilla-based browsers on Windows and Linux platforms to generate certificates using smart cards.
- PKI Services has added support for Internet Explorer version 8 browsers.
- PKI Services now supports large certificate revocation lists (CRLs), which can be helpful for customers whose applications can support only a limited number of CRL distribution points.
z/OS V1.12 includes the following enhancements for PKI Services:
- PKI Services can now generate, verify, and sign certificates using Elliptic Curve Cryptography (ECC) keys, in addition to RSA keys.
- Certificate Management Protocol (CMP) support is added, designed to support the use of z/OS PKI Services through standardized devices.
- Support has been added for additional certificate extensions:
- Subject Alternate Name to allow alternate identities to be bound to the certificate. Multiple instances of Alternate Domain, Alternate IP Address, Alternate E-Mail Address, and Alternate URL identities may be specified in the Subject Alternate name extension.
- Customized extensions.
- New utilities permit the PKI administrator to post certificates and CRLs upon demand, and allow the administrator to schedule PKI Services maintenance tasks to run at specified times.
- Validity dates beyond the year 2038 are supported.
- The maximum size of a Subject Distinguished Name is increased to 1024 bytes.
z/OS V1.11 includes the following enhancements for PKI Services:
- The PKI Services CA can now generate the key pair to be used in creating a certificate, if the requestor asks for this function.
- Key pairs generated by the PKI Services CA can be recovered at a later time, if the requestor should lose the key pair.
- Includes support for the SHA-256 signing algorithm
- PKI Services web pages are now implemented using XML and JSP, to facilitate PKI Services integration with other applications.
- The maximum size of a Subject Distinguished Name is increased to 1024 bytes [when PTF UA52092 is installed on the PKI server system].
z/OS V1.10 includes the following enhancements for PKI Services:
- Enable PKI Services to accept 2 byte UTF8 characters that map to code page 1047 in the CA/RA certificate and to create certificates with such characters
- Remove the dependency on OCSF from the PKI Services daemon (Note: PKI Services Trust Policy still needs OCSF though)
- Add three Distinguished Name attribute types - Domain Component, Distinguished Name Qualifier and User ID
- Provide an embedded link which contains the transaction ID of the request for the requestor to pick up the certificate.
z/OS V1.9 includes the following enhancements for PKI Services:
- Automate certificate renewal which sends renewal certificates to end-users via email when the expiration date is approaching.
- Support query on expiring certificates. Administrators can submit a query based on the number of days the certificates will become expired.
- Extend the email notification function to the administrators. When there is a request pending for approval, notification is sent. The notification can be sent whenever there is a new request or sent once a day for all the new requests.
- The validity period of the certificate is increased to 9999 days (more than 27 years).
- Allow the use of SDBM credentials for the LDAP administrator ID which PKI Services uses to post certificates and CRLs.
z/OS V1.8 includes the following enhancements for PKI Services:
The following enhancements enabled PKI Services to be more competitive with other Certificate Authority products.
- Simple Certificate Enrollment Protocol (SCEP) support which allows SCEP enabled clients (usually routers) to automatically request certificates.
- Enable multiple instances of PKI Services to run on a single z/OS image.
- Support more commonly used distinguished name qualifiers, extension values for certificates.
PKI Services for z/OS V1 R5 certified "Identrus Compliant"
The Identrus Compliant program certifies that PKI Services, provided by z/OS V1.5 and higher, meet Identrus specifications and interoperability requirements providing a solid foundation for trust between financial institutions and their customers. [More information]
Instructions for configuring PKI Services for Identrus compliance are provided by IBM on an as-needed basis. For information, contact email@example.com