Adding a certificate chain

You can configure a Db2 server for TLS support by using a ready-made certificate chain and private key that are provided by a 3rd party. You run the IBM Global Security Kit (GSKit) command gskcapicmd_64 to import the certificate chain.

Note: When Db2® is running in STRICT_FIPS mode, all certificates in the certificate chain must have a signature algorithm of SHA256 or stronger. This includes all intermediate and root certificates.

Note: Hostname validation is enabled by default on Db2 clients. The server certificate will need to be correctly configured to represent the server. For instructions on how to do so, see Configuring Db2 instances for hostname validation.

Root, Intermediate, and Server certificates in a single file

If the certificate authority provides the root, any intermediate certificates, and the server certificate and private key in a single Base64 encoded file, use the following command to import the file:

gsk8capicmd_64 -cert -add -db server.p12 -stashed -file certificates.pem

where <certificates.pem> is the name of the Base64-encoded file that is provided by the certificate authority.

Note: Root and intermediate certificates from the certificate chain must appear first, if present. A private key must appear after its associated certificate.

If the certificate authority provides the root and any intermediate certificates in a PKCS12 encoded file, run the following command to import the file:

gsk8capicmd_64 -cert -import -target server.p12 -target_stashed -db certificates.p12 -pw <password>

where <certificates.p12> is the name of the PKCS12 encoded file that is provided by the certificate authority.

To rename the server certificate, include the -cert -list option to determine the certificate label. Include the -cert -rename option to assign a new label.

gsk8capicmd_64 -cert -list -db server.p12 -stashed

gsk8capicmd_64 -cert -rename -db server.p12 -stashed -label <existing label> -new_label <new label>

Root, Intermediate, and Server certificates in separate files

If the CA provides the root, intermediate, and server certificate in separate Base64 encoded files, run the following commands:

gsk8capicmd_64 -cert -add -db server.p12 -stashed -file RootCA.pem -label MyRootCA

gsk8capicmd_64 -cert -add -db server.p12 -stashed -file IntermediateCA.pem -label MyIntermediateCA

gsk8capicmd_64 -cert -add -db server.p12 -stashed -file ServerCert.pem -label MyServerCert

Note: Not all certificate authorities provide intermediate certificates.

If the server certificate and private key are in separate files, they must be concatenated in to one file before running -cert -add.

Note:

If the private key is not in Base64 format, or is encrypted, it must be converted to a plain text, Base64-encoded private key before being concatenated:

openssl rsa -in server.key -text > server_key.pem

What to do next

When you have added you certificate chain to your keystore, you are ready to configure TLS for your Db2 server.