Managing self-signed certificates
A self-signed certificate consists of a public/private key pair and a certificate for the public key that is signed by the private key. It is also known as a "root" certificate because it can be used to create a Certificate Authority.
Self-signed certificates can also be used in simple scenarios when both the client and the server are known to each other and can exchange certificates securely out-of-band.
To generate a self-signed certificate and store it in the key database, use the following command:
gsk8capicmd -cert -create -db server.kdb -stashed -dn "CN=myserver,OU=mynetwork,O=mycompany,C=mycountry"
-expire 7300 -label "My self-signed certificate" -default_cert yes
-db parameter specifies the key database
where the self-signed certificate should be stored. The
-dn parameter specifies the distinguished
name to use on the public key certificate. The
-expire parameter indicates the number of
days the certificate is valid. The
parameter is a name to use for the self-signed certificate within the
key database. The
makes the newly created certificate the default and is an optional
For the clients to trust a certificate, its public part needs to be distributed to the clients and stored in their key databases. The process for doing this is:
- Extract the public part to a file using the following command:
gsk8capicmd -cert -extract -db server.kdb -stashed -label "My self-signed certificate" -format ascii -target mycert.arm
-dbparameter specifies the server key database that contains the certificate to be shared with clients. The
-labelparameter specifies the certificate's label within the key database. The
-targetparameter specifies the file name where the exported certificate should be stored.
mycert.armto the clients.
- Add the new certificate to the clients' key database as follows:
gsk8capicmd -cert -add -db client.kdb -stashed -label "Server self-signed certificate" -file mycert.arm -format ascii -trust enable
-dbparameter specifies the name of the client's key database file. The
-labelparameter specifies the label to be used for the certificate inside the key database file. The
-fileparameter specifies the file containing the certificate to be imported.