You find key pairs and certificate requests stored in a
key database. This topic provides information on how to create a key
pair and certificate request.
About this task
Create a public and private key pair and certificate request
using the
gskcapicmd![[Updated in October 2014]](../images/deltaend.gif)
command-line interface
or GSKCapiCmd tool, as follows:
Procedure
- Use the
gskcapicmd
command-line
interface. Enter the following command (as one line): <ihsinst>/bin/gskcapicmd -certreq -create -db <name> [-crypto <module name> [-tokenlabel <token label>]]
[-pw <passwd>] -label <label> -dn <dist name> [-size <2048 | 1024 | 512>] -file <name> [-secondaryDB
<filename> -secondaryDBpw <password>] [-fips] [-sigalg <md5 | sha1|sha224|sha256|sha384|sha512>]
where:
- -certreq specifies a certificate request.
- -create specifies a create action.
- -db <filename> specifies the name of the database.
- -pw is the password to access the key database.
- label indicates the label attached to the certificate or certificate
request.
- dn <distinguished_name> indicates an X.500 distinguished name. Input as a
quoted string of the following format (only CN, O, and C are required): CN=common_name,
O=organization, OU=organization_unit, L=location, ST=state, province, C=country
Note: For example,
"CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP
Server,L=RTP,ST=NC,C=US"
- -size <2048 | 1024 | 512> indicates a key size of 2048, 1024, or 512. The
default key size is 1024. The 2048 key size is available if you are using Global Security Kit
(GSKit) Version 7.0.4.14 and later.
- -file <filename> is the name of the file where the certificate
request will be stored.
- -san * <subject alternate name attribute value> | <subject alternate name
attribute value> specifies the subject alternate name extensions in the certificate
request that inform SSL clients of alternate hostnames that correspond to the signed
certificate.
These options are only valid if the following line is entered in the
ikminit.properties file.
DEFAULT_SUBJECT_ALTERNATE_NAME_SUPPORT=
true. The * (asterisk) can have the
following values:
- dnsname
- The value must be formatted using the "preferred name syntax" according to RFC 1034, such as the
example, zebra,tek.ibm.com.
- emailaddr
- The value must be formatted as an "addr-spec" according to RFC 822, such as the example,
myname@zebra.tek.ibm.com
- ipaddr
- The value is a string representing an IP address formatted according to RFC 1338 and RFC 1519,
such as the example, 193.168.100.115
The values of these options are accumulated into the subject alternate name extended attribute
of the generated certificate. If the options are not used then this extended attribute is not added
to the certificate.
- -ca <true | false> specifies the basic constraint extension to the
self-signed certificate. The extension is added with a CA:true and
PathLen:<max int> if the value passed is true or not added if the value
passed is false.
Use the GSKCapiCmd tool. GSKCapiCmd is a tool
that manages keys, certificates, and certificate requests within a
CMS key database. The tool has all of the functionality that the existing
GSKit Java command line tool has, except GSKCapiCmd
supports CMS and PKCS11 key databases. If you plan to manage key databases
other than CMS or PKCS11, use the existing Java tool.
You can use GSKCapiCmd to manage all aspects of a CMS key database.
GSKCapiCmd does not require Java to
be installed on the system.
- Verify that the certificate was successfully created:
- View the contents of the certificate request file you
created.
- Ensure that the key database recorded the certificate
request:
<ihsinst>/bin/
gskcapicmd
-certreq -list -db <filename> -pw <password>
You
should see the label listed that you just created.
- Send the newly-created file to a certificate authority.