Renewing a CA-signed certificate

Certificate authority (CA) signed certificates are only valid for a limited period of time. If a certificate is close to expiry, it is possible to renew a certificate by recreating a new certificate signing request.

Before you begin

The new certificate signing request will contain the same details as the previous certificate.

To renew a self-signed certificate, a new certificate must be created. For more information, refer to Creating a self-signed certificate with GSKit.

About this task

For the purpose of this example, Db2® is assumed to have already been pre-configured with a key database and a password stored in a stash file. We will refer to this keystore as server.p12 in this example. This server.p12 is also presumed to have been configured with a CA-signed certificate by the label of CA-Signed.

Procedure

  1. Identify the expiring certificate and label by running:
          $ gsk8capicmd_64 -cert -list -db server.p12 -stashed
     
              Certificates found
              * default, - personal, ! trusted, # secret key
              !       My_CA_Root
              -      CA-Signed   <-----
    
          $ gsk8capicmd_64 -cert -details -label "CA-Signed" -db server.p12 -stashed
     
              Label : CA-Signed
              Key Size : 1024
              Version : X509 V3
              Serial : 7f9e2b79e210cc26
              Issuer : CN=CA,O=CA,C=US
              Subject : CN=host.mycompany.com,OU=unit,O=company
              Not Before : May 6, 2018 9:32:48 AM PDT
              Not After : May 6, 2019 9:32:48 AM PDT M  <------------------
              ...
  2. Back up the existing keystore and its certificates by copying server.p12 to server_copy.p12. The purpose of this backup is to ensure that the working keystore exists which could be used in the case that anything goes astray during the certificate renewal process.
  3. Recreate the certificate signing request for CA-Signed by running:
    gsk8capicmd_64 -certreq -recreate -db server.p12 -stashed -label "CA-Signed" -target new_cert_request.csr
  4. Send the resulting new_cert_request.csr certificate to be signed by the original Certificate Authority (CA).
  5. Once the signed certificate has been returned, then receive it back into your server keystore by running:
    gsk8capicmd_64 -cert -receive -db server.p12 -stashed -file new_cert_signed.pem
    In this example, the returned certificate is called new_cert_signed.pem.
  6. Verify the new dates on the received certificate by running:
         gsk8capicmd_64 -cert -details -label CA-Signed -db server.p12 -stashed
     
              Label : CA-Signed
              Key Size : 1024
              Version : X509 V3
              Serial : 61840a0badecc11a
              Issuer : CN=CA,O=CA,C=US
              Subject : CN=host.mycompany.com,OU=unit,O=company
              Not Before : May 6, 2021 9:59:05 AM PDT
              Not After : *May 6, 2022 9:59:05* AM PDT
  7. To ensure the CA-signed certificate renewal was successful, perform validation of the new certificate by running:
    gsk8capicmd_64 -cert -validate -db server.p12 -stashed -label CA-Signed
  8. If the Db2 level is Version 11.5 Mod Pack 3 or later, refresh the SSL certificate used by Db2 by attaching to the instance and updating the SSL_SVR_LABEL database manager configuration parameter. This can be done by running:
    db2 attach to <instance name>
    db2 update dbm cfg using SSL_SVR_LABEL CA-Signed
  9. If the Db2 level is Version 11.5 Mod Pack 2 or earlier, the instance must be recycled for the new certificate to take effect. This can be done by running:
  10. If you encounter problems, such as being unable to establish a new TLS connection, rename server.p12 to server_err.p12. Next, move the backup keystore copy server_copy.p12 to the original location of server.p12. Then, rename server_copy.p12 to server.p12 and repeat Steps 8 and 9.
  11. Once you successfully establish a new TLS connection with the database, remove the backup keystore copy server_copy.p12.