A self-signed certificate provides a certificate to enable
SSL sessions between clients and the server, while waiting for the
officially-signed certificate to be returned from the certificate
authority (CA). A private and public key are created during this process.
Creating a self-signed certificate generates a self-signed X509 certificate
in the identified key database. A self-signed certificate has the
same issuer name as its subject name.
About this task
Use this procedure if you are acting as your own CA for a
private Web network. Use the IKEYCMD command-line interface or the
GSKCapiCmd tool to create a self-signed certificate.
Procedure
- Create a self-signed certificate using the IKEYCMD command-line
interface, as follows:
gsk7cmd -cert -create -db <filename> -pw <password> -size <2048 | 1024 | 512> -dn <distinguished_name>
-label label> -default_cert <yes | no> - expire <days>
where:
- -cert specifies a self-signed certificate.
- -create specifies a create action.
- -db <filename> is the name of the database.
- -pw <password> is the password to access the key database.
- -dn <distinguished_name> - indicates an X.500 distinguished
name. Input as a quoted string of the following format (Only CN, O,
and C are required): CN=common_name, O=organization, OU=organization_unit,
L=location, ST=state, province, C=country
For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM
HTTP Server,L=RTP,ST=NC,C=US"
- -label <label> is a descriptive comment used to identify
the key and certificate in the database.
- -size specifies the key size 2048, 1024, or 512. The
default key size is 1024. The 2048 key size is available if you are
using Global Security Kit (GSKit) Version 7.0.4.14 and later.
- -default_cert<yes | no>specifies whether this is the
default certificate in the key database.
- -expire <days> indicates the default validity period
for new self-signed digital certificates is 365 days. The minimum
is 1 day. The maximum is 7300 days (twenty years).
- Create a self-signed certificate using the GSKCapiCmd tool.
GSKCapiCmd is a tool that manages keys, certificates, and certificate
requests within a CMS key database. The tool has all of the functionality
that the existing GSKit Java command line tool has, except GSKCapiCmd
supports CMS and PKCS11 key databases. If you plan to manage key databases
other than CMS or PKCS11, use the existing Java tool. You can use
GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd
does not require Java to be installed on the system.
gsk7capicmd -cert -create [-db <name>]|[-crypto <module name> -tokenlabel <token label>][-pw <passwd>]
-label <label> -dn <dist name> [-size <2048|1024|512>][-x509version <1|2|3>][-default_cert <yes|no>]
[-expire <days>][-secondaryDB <filename> -secondaryDBpw <password>] [-ca <true|false>][-fips]
[-sigalg<md5|sha1>]