[AIX Solaris HP-UX Linux Windows]

Receiving a signed certificate from a certificate authority

This topic describes how to receive an electronically mailed certificate from a certificate authority (CA) that is designated as a trusted CA on your server. A certificate authority is a trusted third-party organization or company that issues digital certificates that are used to create digital signatures and public-private key pairs.

About this task

The certificate authority can send more than one certificate. In addition to the certificate for your server, the CA can also send additional signing certificates or intermediate CA certificates. For example, Verisign includes an intermediate CA certificate when sending a Global Server ID certificate. Before receiving the server certificate, receive any additional intermediate CA certificates. Follow the instructions in the Storing a CA certificate topic to receive intermediate CA certificates.

If the CA that issuing your CA-signed certificate is not a trusted CA in the key database, store the CA certificate first and designate the CA as a trusted CA. Then you can receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA that is not a trusted CA. For instructions, see Storing a certificate authority certificate.


  • Receive the CA-signed certificate into a key database using the gskcmd command-line interface, as follows:
    install_root/bin/gskcmd -cert -receive -file filename -db filename
    [-pw password | -stashed] -format ascii | binary 
    -label label -default_cert yes | no
    • -cert specifies a self-signed certificate.
    • -receive specifies a receive action.
    • -file filename is a file containing the CA certificate.
    • -db filename is the name of the database.
    • -pw password is the password to access the key database.
    • -stashed indicates that the password for the key database should be recovered from the stash file.
    • -format ascii | binary specifies that the certificate authority might provide the CA certificate in either ASCII or binary format.
    • -default_cert yes | no indicates whether this is the default certificate in the key database.
    • -label label specifies the label that is attached to a CA certificate.
    • -trust indicates whether this CA can be trusted. Use enable options when receiving a CA certificate.
  • Receive the CA-signed certificate into a key database using the GSKCapiCmd tool.
    GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
    install_root/bin/gskcapicmd -cert -receive -file name 
    -db name [-crypto module_name [-tokenlabel token_label]]
    [-pw password] [-default_cert yes | no] [-fips]