Google Cloud Storage certificate requirements

SSL communications with Google Cloud Storage require the installation of the "Global Sign Root CA-R1" certificate, the "GTS Root R1" certificate, and the "GTS CA IC3" certificate in the IBM® Global Security Kit (GSKit) .kdb file that is being used by the Content Manager OnDemand server.

Procedure

To install the certificates:

  1. Download the certificates from:
    • Global Sign Root CA-R1

      https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
    • GTS Root R1 and GTS CA IC3

      https://pki.goog/repository
  2. Add the "Global Sign Root CA-R1" certificate to the key database.
    The following example adds the "Global Sign Root CA-R1" certificate to the key database named ondemand.kdb:
    gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" 
    -label "Global Sign Root CA-R1" -file "gsr_root.crt" 
    -format binary -fips 
  3. Add the "GTS Root R1" certificate to the key database.
    The following example adds the "GTS Root R1" certificate to the key database named ondemand.kdb:
    gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" 
    -label "GTS Root R1" -file "gts_root_r1.der" 
    -format binary -fips 
  4. Add the "GTS CA IC3" certificate to the key database.
    The following example adds the "GTS CA IC3" certificate to the key database named ondemand.kdb:
    gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" 
    -label "GTS CA IC3" -file "gts_ca_ic3.der" 
    -format binary -fips 
  5. Verify that the three new certificates were stored in the key database by using GSKCapiCmd.
    The following example lists the certificates stored in ondemand.kdb:
    gsk8capicmd_64 -cert -list all -db "ondemand.kdb" -pw "myKeyDBpasswd"
    GSKCapiCmd displays the following result:
    Certificates found
    * default, - personal, ! trusted, # secret key
    !       "Entrust.net Secure Server Certification Authority"
    !       "Entrust.net Certification Authority (2048)"
    !       "Entrust.net Client Certification Authority"
    !       "Entrust.net Global Client Certification Authority"
    !       "Entrust.net Global Secure Server Certification Authority"
    !       "VeriSign Class 1 Public Primary Certification Authority"
    !       "VeriSign Class 2 Public Primary Certification Authority"
    !       "VeriSign Class 3 Public Primary Certification Authority"
    !       "VeriSign Class 1 Public Primary Certification Authority - G2"
    !       "VeriSign Class 2 Public Primary Certification Authority - G2"
    !       "VeriSign Class 3 Public Primary Certification Authority - G2"
    !       "VeriSign Class 4 Public Primary Certification Authority - G2"
    !       "VeriSign Class 1 Public Primary Certification Authority - G3"
    !       "VeriSign Class 2 Public Primary Certification Authority - G3"
    !       "VeriSign Class 3 Public Primary Certification Authority - G3"
    !       "VeriSign Class 3 Public Primary Certification Authority - G5"
    !       "VeriSign Class 4 Public Primary Certification Authority - G3"
    !       "Thawte Primary Root CA"
    !       "Thawte Primary Root CA - G2 ECC"
    !       "Thawte Server CA"
    !       "Thawte Premium Server CA"
    !       "Thawte Personal Basic CA"
    !       "Thawte Personal Freemail CA"
    !       "Thawte Personal Premium CA"
    !       "GlobalSign Root R1"
    !       "GTS Root R1"
    !       "GTS 1C3"
    *-      "IBM Content Manager OnDemand"