SSLServerCertificate CLI/ODBC configuration keyword

Specifies the fully qualified name of a self-signed server certificate or a certificate authority (CA) certificate.

db2cli.ini keyword syntax:
SSLServerCertificate = "<fully_qualified_certificate_name>"
Default setting:
Usage notes:
The certificate that is specified for the SSLServerCertificate keyword is stored in the default keystore database unless you specified a keystore database using the SSLClientKeystoredb keyword with the SSLClientKeystoreDBPassword or SSLClientKeyStash keyword.

The certificate can be either self-signed certificate from a server or signed by a trusted certificate authority.

Starting in Db2® V11.1 MP4 FP5, the keyword will be accepted even when binary encoded certificates, such as .crt files, are specified.

The SSLServerCertificate keyword can be set when all the following conditions are met:
  • The SSL value is specified for the Security CLI keyword or the SecurityTransportMode IBM® data server driver configuration keyword.
  • The Db2 server is using a self-signed certificate or a CA certificate, which is not present in the existing keystore database.
  • The Db2 client product that is installed is the Db2 Version 10.5 Fix Pack 5 or later fix pack releases.
A fully qualified path of the certificate file and the certificate file name. Only one fully qualified certificate name can be specified. The fully qualified certificate name must be unique and it cannot already exist in the keystore database. You cannot specify any wildcard characters or symbols that are specific to an operating system in the SSLServerCertificate keyword value.

The CLI driver uses the unique certificate label to add the certificate that is specified with the SSLServerCertificate keyword to the keystore database. The unique certificate label consists of full path and the certificate file name.

If you set the SSLServerCertificate keyword in the [COMMON] section of the db2cli.ini file, all CLI connections are attempted using that one certificate.

The SSLServerCertificate keyword is not required if the certificate that is required to establish an SSL connection is already stored in the keystore database.