Creating a certificate signing request (CSR) with IBM Global Security Kit (GSKit)
You create a certificate signing request (CSR) by specifying a label, the path to the key database, a distinguished name for the certificate, and other values when you run the IBM Global Security Kit (GSKit) command gsk8capicmd_64. When the CSR is created you then forward it to a certificate authority (CA) for signing.
Procedure
Open IBM Global Security Kit (GSKit) and create your CSR:
gsk8capicmd_64 -certreq -create -db server.p12 -stashed -label myselfsigned -dn "CN=myserver.mycompany.com" -size 2048 -sigalg SHA256_WITH_RSA -target myselfsigned.csr-dbis the fully qualified path to the key database. On Windows platforms, you can include the-db mscngoption to create the CSR in the MSCS.Note: If using the MSCS, omit the-stashedoption from the command.-labelis the label attached to the certificate upon creation.-dn <string>is the distinguished name that uniquely identifies the certificate. The input must be a quoted string of the following format. Only the Common Name (CN) attribute is mandatory.- CN = Common Name
- O = Organization
- OU = Organizational Unit
- L = Location
- ST = State or Province
- C = Country
- DC = Domain Component
- EMAIL = Email Address
-sizeis the key size (in bits) of the new key pair to be created. For RSA certificates, the minimum key size is 2048 bits.-sigalg <signature_algorithm>is the signing algorithm to be used during the creation of the certificate. This algorithm is used to create the signature associated with the new certificate. The generated key type is chosen to match this signing algorithm.-targetis the file name assigned to the generated CSR. It is best practice to use the certificate label.
Important:
Db2® clients are
configured to validate the server’s hostname using hostname validation. You need to include one or more hostnames in your CSR for each Db2 instance to which
your clients are configured to connect. These can be single servers or clustered servers in various
Db2
configurations, such as Db2
pureScale®, HADR, data
partitioning feature (DPF), and other topologies. Hostnames are represented in different ways,
depending on the Db2 instance where
the certificate resides:
- A single server is represented using the common name (CN) field which is specified as part of the -dn option.
- One or more servers are represented in a subject alternate name (san_) field, using fully qualified hostnames, IP addresses, or wildcard (*) hostnames.
The following example shows the syntax for adding a hostname for a single server, using
the common name field:
-dn "CN=xyz.db2.example.com,…"xyz.db2.example.com is a fully qualified hostname. Wildcard hostnames in the
CN field are supported when performing hostname validation, so long as no SAN values exist in the
certificate. The following example shows the syntax for adding a hostname for a single server in the
subject alternate name field:
-san_dnsname "xyz.db2.example.com"Multiple SAN values are separated by
commas:
-san_dnsname "xyz.db2.example.com,abc.db2.example2.com"-san_ipaddr "127.0.0.1, 127.0.0.2"You can include both DNS names and
IP addresses in the SAN for hostname validation. The following example shows the syntax:
The following example shows the syntax
for adding wildcard hostnames for hosts belonging to separate domains:
-san_dnsname "xyz.db2.example.com", -san_ipaddr "127.0.0.1"-san_dnsname "*.db2.example.com"-san_dnsname "*.db2.example.com,a*.db2.example2.com"-san_dnsname "xyz.db2.example.com,*.db2.example2.com"for more information about representing servers in certificates, see Configuring Db2 Instances for hostname validation.