Enhancements to support the Internet Explorer 11 browser.
Other enhancements to PKI Services that were provided in prior releases and carried forward to the current versions include:
Sample PKI Services web pages implemented using XML and JSP [V1.11].
The ability to use DB2 as the back-end storage for the PKI Services issued certificate list (ICL) and object storage, plus utilities to migrate existing VSAM based ICLs and object storage to DB2 [V1.13]. The DB2 tables used as the backing storage can be customized [V2.1].
The ability to generate key pairs to be used in the creation of a certificate, and the ability to recover these generated keys at a later time if the keys become lost [V1.11].
The ability to provide hardware protection for the private keys used PKI Services Certificate Authority (CA) certificate and those for which PKI Services generated the key pairs, when the ICSF Enterprise PKCS#11 coprocessor is available [V2.1].
The ability to generate, verify, and sign certificates using Elliptic Curve Cryptography (ECC) key in addition to RSA keys [V1.12], and to use a hardware ECC certificate as the CA certificate [V1.13].
The ability to allow or restrict the authority of PKI Services administrators based on the CA domain, the administrative action being performed, and the certificate type [V2.1].
The ability to generate Extended Validation (EV) X.509 certificates [V2.1].
The ability to prohibit an intermediate CA certificate from issuing another subordinate CA certificate that may follow it [V2.1].
The ability to generate certificates using smart cards from Mozilla-based browser clients running on Windows and Linux platforms [V1.13].
The ability to post certificates and certificate revocation lists (CRLs) upon demand and the ability to schedule internal PKI Services maintenance tasks to run at specified times [V1.12]. Large CRLs are supported for customers with applications that support only a limited number of CRL distribution points [V1.13], and PKI Services can be configured to generate a message when CRL processing is completed to allow for automation of follow-on actions such as CRL archiving [V2.1].
The ability to query for expiring certificates and to configure for automated renewal of expiring certificates [V1.9].
Support for the following protocols: Simple Certificate Enrollment Protocol (SCEP) [V1.8] and Certificate Management Protocol (CMP) for using PKI Services through standardized devices [V1.12].
Support for the following certificate extensions: customized extensions; Subject Alternate Name, allowing for multiple instances of Alternate Domain, Alternate IP Address, Alternate E-Mail Address, and Alternate URL [V1.12].
Support for: SHA-256 signing algorithm [V1.11]; 1024-byte Subject Distinguished Names in certificates [V1.12]; expiration dates beyond year 2038 [V1.12]; SDBM credentials for LDAP when posting certificates and CRLs to LDAP repositories [V1.9]; multiple PKI Services instances operating within a single z/OS image [V1.8].