Creating a CA-signed digital certificate
You create a certificate authority (CA)-signed digital certificate for an RSA private-public key pair and PKCS10 certificate request, which are stored in the key database in a file with the .rdb extension.
About this task
Procedure
To create a CA-signed digital certificate:
-
Create a Certificate Signing Request
(CSR) by using GSKCapiCmd.
The following example shows how to create a CSR that is stored in ondemand.kdb.
gsk8capicmd_64 -certreq -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert" -dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=Boulder,ST=CO,C=US" -file "mycertRequestNew"
-
Verify the contents of the CSR by using GSKCapiCmd.
The following example shows how to display the contents of the CSR:
If you need to delete this CSR, run GSKCapiCmd similar to the following example:gsk8capicmd_64 -certreq -details -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert"
gsk8capicmd_64 -certreq -delete -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert"
- Go to the website of a well-known CA (for example, Verisign) and follow their instructions for registering and obtaining a signed digital certificate. The instructions include paying the CA for their services and providing them with the file you specified with the -file option. In the following example and for the rest of these instructions, a trial version of a digital certificate is used.
-
Use a text editor (for example, vi) to save each certificate
into a file. The CA sends you an email with the following information:
- The MyCertificate.arm file, your trial signed digital certificate.
- A link to download IntermediateCert.arm, the trial intermediate digital certificate.
- A link to download RootCert.arm, the root digital certificate.
-
Add the trial root digital certificate to the key database.
The following example adds RootCert.arm to ondemand.kdb:
gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "trialRootCACert" -file RootCert.arm -format ascii
-
Add the trial intermediate certificate to the key database.
The following example adds IntermediateCert.arm to ondemand.kdb:
gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "trialIntermediateCACert" -file IntermediateCert.arm -format ascii
-
Receive your signed digital certificate to the key database.
The following example receives MyCertificate.arm to ondemand.kdb:
gsk8capicmd_64 -cert -receive -file MyCertificate.arm -db "ondemand.kdb" -pw "myKeyDBpasswd" -format ascii
-
Verify that all the certificates were stored in the key
database by using GSKCapiCmd.
The following example lists the certificates stored in ondemand.kdb:
gsk8capicmd_64 -cert -list all -db "ondemand.kdb" -pw "myKeyDBpasswd"
GSKCapiCmd displays the following result:Certificates found * default, - personal, ! trusted -! mycert ! trialIntermediateCACert ! trialRootCACert -! myselfsigned