Adding a certificate chain
You can configure a Db2 server for TLS support by using a ready-made certificate chain and private key that are provided by a 3rd party. You run the IBM Global Security Kit (GSKit) command gskcapicmd_64 to import the certificate chain.
Note: When Db2® is running in STRICT_FIPS mode, all certificates in the certificate chain must have a signature
algorithm of SHA256 or stronger. This includes all intermediate and root certificates.
Root, Intermediate, and Server certificates in a single file
If the
certificate authority provides the root, any intermediate certificates, and the server certificate
and private key in a single Base64 encoded file, use the following command to import the
file:
where <certificates.pem> is the name of the Base64-encoded
file that is provided by the certificate authority.gsk8capicmd_64 -cert -add -db server.p12 -stashed -file certificates.pem
Note: Root and intermediate certificates from
the certificate chain must appear first, if present. A private key must appear after its associated
certificate.
If the certificate authority provides the root and any intermediate
certificates in a PKCS12 encoded file, run the following command to import the
file:
gsk8capicmd_64 -cert -import -target server.p12 -target_stashed -db certificates.p12 -pw <password>
where <certificates.p12> is the name of the PKCS12 encoded file
that is provided by the certificate authority.To rename the server certificate, include the -cert -list option to determine the certificate label. Include the -cert -rename option to assign a new label.
gsk8capicmd_64 -cert -list -db server.p12 -stashed
gsk8capicmd_64 -cert -rename -db server.p12 -stashed -label <existing label> -new_label <new label>
Root, Intermediate, and Server certificates in separate files
If the CA provides the root, intermediate, and server certificate in separate Base64 encoded
files, run the following commands:
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file RootCA.pem -label MyRootCA
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file IntermediateCA.pem -label MyIntermediateCA
gsk8capicmd_64 -cert -add -db server.p12 -stashed -file ServerCert.pem -label MyServerCert
Note: Not all certificate authorities provide intermediate certificates.
If the server certificate and private key are in separate files, they must be concatenated in to
one file before running -cert -add.
Note:
If the private key is not in Base64 format, or is encrypted, it must be converted to a plain text, Base64-encoded private key before being concatenated:
openssl rsa -in server.key -text > server_key.pem
What to do next
When you have added you certificate chain to your keystore, you are ready to configure TLS for your Db2 server.