Using a server certificate from a well-known (trusted) CA

The following root certificates are already stored in the key database and marked as trusted. Host On-Demand clients will trust certificates from these CAs:

• VeriSign Class 2 Public Primary CA
• VeriSign Class 2 Persona Not Validated
• VeriSign Class 3 Public Primary CA
• VeriSign Class 3 Persona Not Validated
• VeriSign Class 4 Public Primary CA
• RSA Secure Server CA (also obtained from VeriSign)
• Thawte Server CA
• Thawte Premium Server CA

To obtain and use a server certificate issued by a well-known (trusted) CA:

• Create a certificate request.
• Submit the request to one of the CAs.
• When you receive the certificate, store it in the server's key database.

Creating a certificate request

To create the certificate request:

Certificate Management:

1. On Windows, click Start > Programs > IBM Host On-Demand > Administration > Certificate Management.
2. On an AIX server, enter CertificatedManagement from a command prompt. The default location of the AIX script is /opt/IBM/HostOnDemand/bin. Refer to Running Certificate Management on AIX for additional information.
3. Follow the steps in the Help to create the certificate request.
4. Exit Certificate Management.

Sending the certificate request to the CA

Go to the CA's Web site. Follow the instructions to submit the certificate request. Here are the URLs of the well-known CAs:

• VeriSign: http://www.verisign.com/
• Thawte: http://www.thawte.com/

While you are waiting for the CA to process your certificate request, you can enable security by creating a self-signed root certificate.

Storing the certificate in the key database

When you receive the certificate, make sure it is in armored-64 or binary DER format. Only a certificate in one of these formats can be stored in the key database. The Certificate Management program can only accept simple certificates. It cannot accept certificate chains or PKCS7 data. The armored-64 form of a simple certificate starts with "----BEGIN CERTIFICATE----" and ends with "----END CERTIFICATE----".

Store the certificate into the server's key database, HODServerKeyDb.kdb.

1. On Windows, click Start > Programs > IBM Host On-Demand > Administration > Certificate Management.
2. On an AIX server, enter CertificatedManagement from a command prompt. The default location of the AIX script is /opt/IBM/HostOnDemand/bin. Refer to Running Certificate Management on AIX for additional information.
3. Follow the steps in the Help to store the certificate.
4. Exit Certificate Management.

Related topic:

• How SSL works
• Server authentication