This example file shows you how to create a server keystore
and a server root certificate to use with a Rational® DOORS®,
and how the Microsoft Certificate
Store (MCS) can be set to validate the server certificate. The example
file is followed by a breakdown of the commands and parameters.
Example file
REM Create a server keystore file
gsk8capicmd -keydb -create -db server.kdb -pw ser123 -stash
REM Create a server root certificate in server.kdb, and add it to the MCS
gsk8capicmd -cert -create -db server.kdb -pw ser123 -label "IBMEDCA1" -dn "CN=IBMEDCA1"
gsk8capicmd -cert -extract -db server.kdb -pw ser123 -label "IBMEDCA1" -target temp1.arm
gsk8capicmd -cert -add -db GSK_MS_CERTIFICATE_STORE -label "IBMEDCA1" -file temp1.arm
REM Create and sign a server certificate
gsk8capicmd -certreq -create -db server.kdb -label IBMSV1 -dn "CN=IBMEDSERV,dc=ukednode1" -file temp2.arm
gsk8capicmd -cert -sign -db server.kdb -pw ser123 -label IBMEDCA1 -file temp2.arm -target temp3.arm
gsk8capicmd -cert -receive -file temp3.arm -db server.kdb -pw ser123
REM Extract the root certificate from the MCS and add it to the server kdb file
gsk8capicmd -cert -extract -db GSK_MS_CERTIFICATE_STORE -label "CN=Coy Root" -target temp4.arm
gsk8capicmd -cert -add -db server.kdb -pw ser123 -label "CN=Coy Root" -file temp4.arm
Create a server keystore file
gsk8capicmd -keydb -create -db server.kdb -pw ser123 -stash
- gsk8capicmd -keydb -create
- The gsk8capicmd command is a tool to manage
keys, certificates, and certificate requests in a key database. The
syntax for gsk8capicmd is: gsk8capicmd modifiers object action options.
In this example, -keydb is a key database object, -create is
the action to take, and -db is
the option. The command creates a key database.
- -db server.kdb -pw ser123
- The key database is called server.kdb with
a password (-pwd). In this example, the password
is ser123.
- -stash
- Stash the password for the key database after creation. A stash
file is used as an automatic way of providing a password. When you
access a key database, the system first checks for the existence of
a stash file. If one exists, the contents of the file are decrypted
and used as input for the password. When the -stash tag
is specified during the create action, the password is stashed into
a file that is named as follows: key_database_name.sth.
Create a root certificate in the keystore, and add
it to the MCS
The root certificate is used to create a server
certificate. Because the root certificate is in the MCS, Rational DOORS clients
can validate the server certificate using the MCS.
gsk8capicmd -cert -create -db server.kdb -pw ser123 -label "IBMEDCA1" -dn "CN=IBMEDCA1"
- -cert -create
- This is the create certificate command (-create action
and -cert object).
- -label "IBMEDCA1"
- A label is attached to the certificate. In this example, the name
is "IBMEDCA1". The label is used to uniquely identify
the certificate by a user.
- -dn "CN=IBMEDCA1"
- The -dn distinguished name uniquely identifies
the certificate. The input must be a quoted string of the following
format (only the CN is mandatory):
- CN=common name
- O=organization
- OU=organization unit
- L=location
- ST=state, province
- C=country
- DC=domain component
- EMAIL=email address
In this example, the distinguished name is "CN=IBMEDCA1".
gsk8capicmd -cert -extract -db server.kdb -pw ser123 -label "IBMEDCA1" -target temp1.arm
- -cert -extract -label "IBMEDCA1"
- This is the extract certificate command (-extract action
and -cert object). The command extracts the named
certificate data (-label"IBMEDCA1") from the key
database and places it into a file.
- -target temp1.arm
- The file to which the certificate is to be extracted.
gsk8capicmd -cert -add -db GSK_MS_CERTIFICATE_STORE -label "IBMEDCA1" -file temp1.arm
- -cert -add -db GSK_MS_CERTIFICATE_STORE
- This is the add certificate command (-add action
and -cert object). The command adds the certificate
that was extracted (-label"IBMEDCA1" -file temp1.arm)
to the MCS (-db GSK_MS_CERTIFICATE_STORE).
Create a server certificate that is signed with the
root certificate
The server certificate is stored in the keystore.
In the example, the distinguished name is written for a server that
runs on a computer called
IBMEDSERV.
gsk8capicmd -certreq -create -db server.kdb -label IBMSV1 -dn "CN=IBMEDSERV,dc=ukednode1" -file temp2.arm
- -certreq -create
- This is the create certificate request command
(-create action and -certreq object).
- -label IBMSV1
- A label is attached to the certificate. In this example, the name
is IBMSV1. The label is used to uniquely identify
the certificate by a user. IBMSV1 is the default
certificate name that is used by the Rational DOORS server if a name
is not specified when the server starts.
- -dn "CN=IBMEDSERV,dc=ukednode1"
- The -dn distinguished name uniquely identifies
the certificate. In this example, the distinguished name is "CN=IBMEDSERV,dc=ukednode1".
Note: The IBMEDSERV part
of the distinguished name must either be the name of the server, or
the value that is used for -serverhostname if that
option is used when the server is started.
- -file temp2.arm
- The file name that the certificate request is extracted to during
the certificate request creation process.
gsk8capicmd -cert -sign -db server.kdb -pw ser123 -label IBMEDCA1 -file temp2.arm -target temp3.arm
- -cert -sign
- This is the sign certificate command (-sign action
and -cert object). The command allows the signing
of a certificate request by an existing certificate that is stored
within a key database. The command accepts a certificate request in
a specified file format and details of the certificate that contains
the private key to be used during the signing process.
- -file temp2.arm
- The name and location of the certificate request to be signed.
- -target temp3.arm
- The name of the file that will contains the signed certificate.
gsk8capicmd -cert -receive -file temp3.arm -db server.kdb -pw ser123
- -cert -receive
- This is the receive certificate command (-receive action
and -cert object). The command stores a certificate
that was requested to sign a certificate request. The file name of
the certificate that is to be received.
- -file temp3.arm
- The file name of the certificate that is to be received.
Copy the root certificate for certificates from the
MCS and add it to the server keystore
This part of the example
allows the server to validate the certificates.
gsk8capicmd -cert -extract -db GSK_MS_CERTIFICATE_STORE -label "CN=Coy Root" -target temp4.arm
- -cert -extract -db GSK_MS_CERTIFICATE_STORE -label -"CN=Coy
Root" target temp4.arm
- This is the extract certificate command (-extract action
and -cert object). The command extracts the named
certificate data (-label"CN=Coy Root") from the MCS
database (-db GSK_MS_CERTIFICATE_STORE) and places
it into a file (temp4.arm).
gsk8capicmd -cert -add -db server.kdb -pw ser123 -label "CN=Coy Root" -file temp4.arm
- -cert -add -label "CN=Coy Root" -file temp4.arm
- This is the add certificate command (-add action
and -cert object). The command adds a certificate
to the named keystore.
Note: In these commands, the root certificate
name is CN=Coy Root. The root certificate that you
use will have a longer name. Also, if your organization uses more
than one root certificates, you must extract and add each root certificate
individually. For example, one root certificate might apply to the
cards used by 500 users, and another root certificate might apply
to the remaining 2000 users. In this case, you must add both of these
root certificates server.kdb.