[AIX HP-UX Linux Solaris Windows]

Creating a new key pair and certificate request

You find key pairs and certificate requests stored in a key database. This topic provides information on how to create a key pair and certificate request.

About this task

Create a public and private key pair and certificate request using the IKEYCMD command-line interface or GSKCapiCmd tool, as follows:

Procedure

  1. Use the IKEYCMD command-line interface. Enter the following command (as one line):
    gsk7cmd -certreq -create -db <filename> -pw <password> -label <label> -dn <distinguished_name> -size <2048 | 1024 | 512> -file <filename>
    where:
    • -certreq specifies a certificate request.
    • -create specifies a create action.
    • -db <filename> specifies the name of the database.
    • -pw is the password to access the key database.
    • label indicates the label attached to the certificate or certificate request.
    • dn <distinguished_name> indicates an X.500 distinguished name. Input as a quoted string of the following format (only CN, O, and C are required): CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country
      Note: For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
    • -size <2048 | 1024 | 512> indicates a key size of 2048, 1024, or 512. The default key size is 1024. The 2048 key size is available if you are using Global Security Kit (GSKit) Version 7.0.4.14 and later.
    • -file <filename> is the name of the file where the certificate request will be stored.
    Use the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
    gsk7capicmd -certreq -create -db <name> [-crypto <module name> [-tokenlabel <token label>]] 
    [-pw <passwd>] -label <label> -dn <dist name> [-size <2048 | 1024 | 512>] -file <name> [-secondaryDB 
    <filename> -secondaryDBpw <password>] [-fips] [-sigalg <md5 | sha1]
  2. Verify that the certificate was successfully created:
    1. View the contents of the certificate request file you created.
    2. Make sure the key database recorded the certificate request:
      gsk7cmd -certreq -list -db <filename> -pw <password>

      You should see the label listed that you just created.

  3. Send the newly-created file to a certificate authority.



Related concepts
Managing keys with the IKEYCMD command line interface (Distributed systems)
Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 6:08:30 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=ihs-dist&topic=tihs_keypair390
File name: tihs_keypair390.html