Self-signing digital certificates

You can act as your own certificate authority (CA) and self-sign certificates for servers in your network. If the risk of untrusted access to your servers is negligible, self-signing is a good way to provide TLS support for a small Db2® network.

About this task

You run a GSKit gsk8capicmd_64 command to create the self-signed cert in much the same way as you create a CSR for sending to a CA.


  1. Using GSKit, run the following command to create a self-signed digital certificate labeled myselfsigned.cer:
    gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" 
            -label "myselfsigned" -dn ",O=myOrganization,
            OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA" -size 2048 -sigalg SHA256_WITH_RSA
    • -cert is the certificate request command that creates a new RSA private-public key pair and a PKCS10 certificate request in the specified key database.
    • -db is the fully qualified path name of a key database.
    • -pw is the password for the key database that is identified by the -db or -tokenlabel tags. Specify a hyphen (-) as the password to cause the program to read the password from stdin.
    • -label is the label to be attached to the certificate request on creation. The user uses this label to uniquely identify the certificate request.
    • -dn <dist_name> is the X.500 distinguished name that uniquely identifies the certificate. The input must be a quoted string of the following format (only CN is required):
      • CN = common name
      • O = organization
      • OU = organization unit
      • L = location
      • ST = State, Province
      • C = country
      • DC = domain component
      • EMAIL =email address
    • -size <key_size> is the size, in bits, of the new key pair to be created.
    • -sigalg | -sig_alg <signature_algorithm> is the signing algorithm to be used during the creation of the self-signed certificate. This algorithm is used to create the signature associated with the new self-signed certificate. The generated key type is chosen to match this signing algorithm.
  2. Extract the certificate that you created to a 64-bit encoded certificate file so that you can distribute it to the computers that run clients that will establish TLS connections to your Db2 server.
    Note: While Db2 supports many 64-bit encoded certificate file formats (for example, *.pem, *.arm, *.cer, *.crt) the examples in this group of topics refers to the .crt file type.
    For example, the following GSKCapiCmd command extracts the certificate to a file called mydbserver.crt:
    gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" 
           -label "myselfsigned" -target "mydbserver.crt" -format ascii
    Note: Always use the -extract option for moving certificates to a certificate file for nodes in your network, and not the -export option. Using the -export option moves the private key from your keystore into the certificate file, making it visible to your network.

    When your clients receive the mydbserver.crt file, they can use the gsk8capicmd_64 command with the -cert -add options to add the certificates to their local keystores.