This topic describes how to receive an electronically mailed
certificate from a certificate authority (CA) that is designated as
a trusted CA on your server. A certificate authority is a trusted
third-party organization or company that issues digital certificates
that are used to create digital signatures and public-private key
pairs.
About this task
The certificate authority can send more than one certificate.
In addition to the certificate for your server, the CA can also send
additional signing certificates or intermediate CA certificates. For
example, Verisign includes an intermediate CA certificate when sending
a Global Server ID certificate. Before receiving the server certificate,
receive any additional intermediate CA certificates. Follow the instructions
in the Storing a CA certificate topic to receive intermediate CA certificates.
If the CA that issuing your CA-signed certificate is not a trusted CA in the key database,
store the CA certificate first and designate the CA as a trusted CA. Then you can receive your
CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA that
is not a trusted CA. For instructions, see Storing
a certificate authority certificate.
Procedure
-
Receive the CA-signed certificate into a key database using
the gskcmd command-line interface, as follows:
install_root/bin/gskcmd -cert -receive -file filename -db filename
[-pw password | -stashed] -format ascii | binary -label label -default_cert yes | no
where:
- -cert specifies a self-signed certificate.
- -receive specifies a receive action.
- -file filename is a file containing the
CA certificate.
- -db filename is the name of the database.
- -pw password is the password to access
the key database.
- -stashed indicates that the password for the key database should be recovered from the stash file.
- -format ascii | binary specifies that
the certificate authority might provide the CA certificate in either
ASCII or binary format.
- -default_cert yes | no indicates whether
this is the default certificate in the key database.
- -label label specifies the label that is attached to
a CA certificate.
- -trust indicates whether this CA can be trusted.
Use enable options when receiving a CA certificate.
-
Receive the CA-signed certificate into a key database using
the GSKCapiCmd tool.
GSKCapiCmd is a tool that manages
keys, certificates, and certificate requests within a CMS key database.
The tool has all of the functionality that the existing GSKit Java™ command line tool has, except GSKCapiCmd
supports CMS and PKCS11 key databases. If you plan to manage key databases
other than CMS or PKCS11, use the existing Java tool.
You can use GSKCapiCmd to manage all aspects of a CMS key database.
GSKCapiCmd does not require Java to
be installed on the system.
install_root/bin/gskcapicmd -cert -receive -file name -db name
[-crypto module_name [-tokenlabel token_label]] [-pw password] [-default_cert yes | no] [-fips]