You create CA-signed digital certificate for
an RSA private-public key pair and PKCS10 certificate request, which
are stored in the key database in a file with the .rdb extension.
About this task
Specify the name of the file, with the
-file option,
that you send to the CA.
Procedure
To create a CA-signed digital certificate:
- Create a Certificate Signing Request
(CSR) by using GSKCapiCmd. The following
example shows how to create a CSR that is stored in ondemand.kdb.
gsk8capicmd_64 -certreq -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert" \
-dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=Boulder,ST=CO,C=US" \
-file "mycertRequestNew"
- Verify the contents of the CSR by using GSKCapiCmd. The following example shows how to display the contents of
the CSR:
gsk8capicmd_64 -certreq -details -db "ondemand.kdb" -pw "myKeyDBpasswd" –label "mycert"
If
you need to delete this CSR, run GSKCapiCmd similar
to the following example: gsk8capicmd_64 -certreq -delete -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert"
- Go to the website of a well-known CA (for example, Verisign)
and follow their instructions for registering and obtaining a signed
digital certificate. The instructions include paying the CA for their
services and providing them with the file you specified with the -file option.
In the following example and for the rest of these instructions, a
trial version of a digital certificate is used.
- Use a text editor (for example, vi) to save each certificate
into a file. The CA sends you an email with the following information:
- The MyCertificate.arm file, your trial signed digital certificate.
- A link to download IntermediateCert.arm, the trial intermediate
digital certificate.
- A link to download RootCert.arm, the root digital certificate.
- Add the trial root digital certificate to the key database. The following example adds RootCert.arm to ondemand.kdb:
gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "trialRootCACert" \
-file RootCert.arm -format ascii
- Add the trial intermediate certificate to the key database. The following example adds IntermediateCert.arm to ondemand.kdb:
gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" –label "trialIntermediateCACert" \
-file IntermediateCert.arm -format ascii
- Receive your signed digital certificate to the key database. The following example receives MyCertificate.arm to ondemand.kdb:
gsk8capicmd_64 -cert -receive -file MyCertificate.arm -db "ondemand.kdb" –pw “myKeyDBpasswd” \
–format ascii
- Verify that all the certificates were stored in the key
database by using GSKCapiCmd. The
following example lists the certificates stored in ondemand.kdb:
gsk8capicmd_64 -cert -list all -db "ondemand.kdb" -pw "myKeyDBpasswd"
GSKCapCmd displays the following result: Certificates found
* default, - personal, ! trusted
-! mycert
! trialIntermediateCACert
! trialRootCACert
-! myselfsigned