A self-signed certificate provides a certificate to enable SSL
sessions between clients and the server, while waiting for the officially-signed
certificate to be returned from the certificate authority (CA). A private
and public key are created during this process. Creating a self-signed certificate
generates a self-signed X509 certificate in the identified key database. A
self-signed certificate has the same issuer name as its subject name.
Sobre Esta Tarefa
Use this procedure if you are acting as your own CA for a private
Web network. Use the IKEYCMD command-line interface or the GSKCapiCmd tool
to create a self-signed certificate.
Procedimento
- Create a self-signed certificate using the IKEYCMD command-line
interface, as follows:
gsk7cmd -cert -create -db <filename> -pw <password> -size <1024 | 512> -dn <distinguished_name>
-label label> -default_cert <yes | no> - expire <days>
where:
- -cert specifies a self-signed certificate.
- -create specifies a create action.
- -db <filename> is the name of the database.
- -pw <password> is the password to access the key database.
- -dn <distinguished_name> - indicates an X.500 distinguished
name. Input as a quoted string of the following format (Only CN, O, and C
are required): CN=common_name, O=organization, OU=organization_unit, L=location,
ST=state, province, C=country
For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM
HTTP Server,L=RTP,ST=NC,C=US"
- -label <label> is a descriptive comment used to identify the
key and certificate in the database.
- -size specifies the key size 512 or 1024.
- -default_cert<yes | no>specifies whether this is the default
certificate in the key database.
- -expire <days> indicates the default validity period for new
self-signed digital certificates is 365 days. The minimum is 1 day. The maximum
is 7300 days (twenty years).
- Create a self-signed certificate using the GSKCapiCmd tool.
GSKCapiCmd is a tool that manages keys, certificates, and certificate
requests within a CMS key database. The tool has all of the functionality
that the existing GSKit Java command line tool has, except GSKCapiCmd supports
CMS and PKCS11 key databases. If you plan to manage key databases other than
CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage
all aspects of a CMS key database. GSKCapiCmd does not require Java to be
installed on the system.
gsk7capicmd -cert -create [-db <name>]|[-crypto <module name> -tokenlabel <token label>][-pw <passwd>]
-label <label> -dn <dist name> [-size <2048|1024|512>][-x509version <1|2|3>][-default_cert <yes|no>]
[-expire <days>][-secondaryDB <filename> -secondaryDBpw <password>] [-ca <true|false>][-fips]
[-sigalg<md5|sha1>]