Adding a certificate chain

You can configure a Db2 server for TLS support by using a ready-made certificate chain and private key that are provided by a 3rd party. You run the IBM Global Security Kit (GSKit) command gskcapicmd_64 to import the certificate chain.

Note: When Db2® is running in STRICT_FIPS mode, all certificates in the certificate chain must have a signature algorithm of SHA256 or stronger. This includes all intermediate and root certificates.

Root, Intermediate, and Server certificates in a single file

If the certificate authority provides the root, any intermediate certificates, and the server certificate and private key in a single Base64 encoded file, use the following command to import the file:
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file certificates.pem
where <certificates.pem> is the name of the Base64-encoded file that is provided by the certificate authority.
Note: Root and intermediate certificates from the certificate chain must appear first, if present. A private key must appear after its associated certificate.
If the certificate authority provides the root and any intermediate certificates in a PKCS12 encoded file, run the following command to import the file:
gsk8capicmd_64 -cert -import -target server.p12 -target_stashed -db certificates.p12 -pw <password> 
where <certificates.p12> is the name of the PKCS12 encoded file that is provided by the certificate authority.

To rename the server certificate, include the -cert -list option to determine the certificate label. Include the -cert -rename option to assign a new label.

gsk8capicmd_64 -cert -list -db server.p12 -stashed

gsk8capicmd_64 -cert -rename -db server.p12 -stashed -label <existing label> -new_label <new label>

Root, Intermediate, and Server certificates in separate files

If the CA provides the root, intermediate, and server certificate in separate Base64 encoded files, run the following commands:
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file RootCA.pem -label MyRootCA
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file IntermediateCA.pem -label MyIntermediateCA
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file ServerCert.pem -label MyServerCert
Note: Not all certificate authorities provide intermediate certificates.
If the server certificate and private key are in separate files, they must be concatenated in to one file before running -cert -add.
Note:

If the private key is not in Base64 format, or is encrypted, it must be converted to a plain text, Base64-encoded private key before being concatenated:

openssl rsa -in server.key -text > server_key.pem

What to do next

When you have added you certificate chain to your keystore, you are ready to configure TLS for your Db2 server.