Certificate authority (CA) signed certificates are only valid for a limited period of
time. If a certificate is close to expiry, it is possible to renew a certificate by recreating a new
certificate signing request.
Before you begin
The new certificate signing request will contain the same details as the previous
certificate.
To renew a self-signed certificate, a new certificate must be created. For more information,
refer to Creating a self-signed certificate with
GSKit.
About this task
For the purpose of this example, Db2® is assumed to have
already been pre-configured with a key database and a password stored in a stash file. We will refer
to this keystore as server.p12 in this example. This
server.p12 is also presumed to have been configured with a CA-signed
certificate by the label of CA-Signed.
Procedure
-
Identify the expiring certificate and label by running:
$ gsk8capicmd_64 -cert -list -db server.p12 -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! My_CA_Root
- CA-Signed <-----
$ gsk8capicmd_64 -cert -details -label "CA-Signed" -db server.p12 -stashed
Label : CA-Signed
Key Size : 1024
Version : X509 V3
Serial : 7f9e2b79e210cc26
Issuer : CN=CA,O=CA,C=US
Subject : CN=host.mycompany.com,OU=unit,O=company
Not Before : May 6, 2018 9:32:48 AM PDT
Not After : May 6, 2019 9:32:48 AM PDT M <------------------
...
- Back up the existing keystore and its certificates by copying
server.p12
to server_copy.p12
. The purpose of this backup is to ensure that the working
keystore exists which could be used in the case that anything goes astray during the certificate
renewal process.
- Recreate the certificate signing request for CA-Signed by
running:
gsk8capicmd_64 -certreq -recreate -db server.p12 -stashed -label "CA-Signed" -target new_cert_request.csr
- Send the resulting new_cert_request.csr certificate to be signed by
the original Certificate Authority (CA).
- Once the signed certificate has been returned, then receive it back into your server
keystore by
running:
gsk8capicmd_64 -cert -receive -db server.p12 -stashed -file new_cert_signed.pem
In this example, the returned certificate is called
new_cert_signed.pem.
- Verify the new dates on the received certificate by running:
gsk8capicmd_64 -cert -details -label CA-Signed -db server.p12 -stashed
Label : CA-Signed
Key Size : 1024
Version : X509 V3
Serial : 61840a0badecc11a
Issuer : CN=CA,O=CA,C=US
Subject : CN=host.mycompany.com,OU=unit,O=company
Not Before : May 6, 2021 9:59:05 AM PDT
Not After : *May 6, 2022 9:59:05* AM PDT
- To ensure the CA-signed certificate renewal was successful, perform validation of the new
certificate by running:
gsk8capicmd_64 -cert -validate -db server.p12 -stashed -label CA-Signed
- If the Db2 level is Version 11.5
Mod Pack 3 or later, refresh the SSL certificate used by Db2 by attaching to the
instance and updating the SSL_SVR_LABEL database manager configuration
parameter. This can be done by running:
db2 attach to <instance name>
db2 update dbm cfg using SSL_SVR_LABEL CA-Signed
- If the Db2 level is Version 11.5
Mod Pack 2 or earlier, the instance must be recycled for the new certificate to take effect. This
can be done by running:
- If you encounter problems, such as being unable to establish a new TLS connection, rename
server.p12
to server_err.p12
. Next, move the backup keystore copy
server_copy.p12
to the original location of server.p12
. Then,
rename server_copy.p12
to server.p12
and repeat Steps 8 and
9.
- Once you successfully establish a new TLS connection with the database, remove the backup
keystore copy
server_copy.p12
.