Pulling a CA-signed certificate into a keystore

You can add a CA-signed TLS certificate to a keystore by running the gsk8capicmd_64 command, using IBM Global Security Kit (GSKit).

About this task

By including the -cert -receive option, you tell IBM Global Security Kit (GSKit) to receive the signed certificate signing request (CSR) and associate it with the corresponding private key in the keystore.

Important: When you receive your signed CSR from your CA or Security team, DO NOT use the -add option in your gsk8capicmd_64 command. Using this option does not associate the certificate with the private key in your keystore, and leaves the certificate unusable for TLS.

Procedure

Using IBM Global Security Kit (GSKit), run the following command to pull your CA-signed certificate into your keystore:

gsk8capicmd_64 -cert -receive -db server.p12 -stashed -file myselfsigned.cer

Note: If the signed certificate is received before the root certificate and any intermediate certificates are added, gsk8capicmd_64 might return a following CTGSK2146W warning:

CTGSK2146W An invalid certificate chain was found.
Additional untranslated info:
GSKKM_LAST_VALIDATION_ERROR: No certificate chain built

This message is a warning indicating the root and intermediate certificates were not found, however the certificate was still successfully received. The root and intermediate certificates must be added to the keystore before the signed certificate can be used for TLS.