Creating a CA-signed digital certificate

Start of changeYou create CA-signed digital certificate for an RSA private-public key pair and PKCS10 certificate request, which are stored in the key database in a file with the .rdb extension. End of change

About this task

Specify the name of the file, with the -file option, that you send to the CA.

Procedure

To create a CA-signed digital certificate:

  1. Create a Certificate Signing Request (CSR) by using GSKCapiCmd. The following example shows how to create a CSR that is stored in ondemand.kdb. 
    gsk8capicmd_64 -certreq -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert" \
-dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=Boulder,ST=CO,C=US" \
-file "mycertRequestNew"
  2. Verify the contents of the CSR by using GSKCapiCmd. The following example shows how to display the contents of the CSR: 
    gsk8capicmd_64 -certreq -details -db "ondemand.kdb" -pw "myKeyDBpasswd" –label "mycert"
    If you need to delete this CSR, run GSKCapiCmd similar to the following example: 
    gsk8capicmd_64 -certreq -delete -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert"
  3. Go to the website of a well-known CA (for example, Verisign) and follow their instructions for registering and obtaining a signed digital certificate. The instructions include paying the CA for their services and providing them with the file you specified with the -file option. In the following example and for the rest of these instructions, a trial version of a digital certificate is used.
  4. Use a text editor (for example, vi) to save each certificate into a file. The CA sends you an email with the following information:
    • The MyCertificate.arm file, your trial signed digital certificate.
    • A link to download IntermediateCert.arm, the trial intermediate digital certificate.
    • A link to download RootCert.arm, the root digital certificate.
  5. Add the trial root digital certificate to the key database. The following example adds RootCert.arm to ondemand.kdb: 
    gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "trialRootCACert" \
-file RootCert.arm -format ascii
  6. Add the trial intermediate certificate to the key database. The following example adds IntermediateCert.arm to ondemand.kdb: 
    gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" –label "trialIntermediateCACert" \
-file IntermediateCert.arm -format ascii
  7. Receive your signed digital certificate to the key database. The following example receives MyCertificate.arm to ondemand.kdb: 
    gsk8capicmd_64 -cert -receive -file MyCertificate.arm -db "ondemand.kdb" –pw “myKeyDBpasswd” \
–format ascii
  8. Verify that all the certificates were stored in the key database by using GSKCapiCmd. The following example lists the certificates stored in ondemand.kdb: 
    gsk8capicmd_64 -cert -list all -db "ondemand.kdb" -pw "myKeyDBpasswd"
    GSKCapCmd displays the following result: 
    Certificates found
* default, - personal, ! trusted
-! mycert
! trialIntermediateCACert
! trialRootCACert
-! myselfsigned
Parent topic: Setting up SSL on the Content Manager OnDemand for Linux server