A self-signed certificate provides a certificate to enable
SSL sessions between clients and the server, while waiting for the
officially-signed certificate to be returned from the certificate
authority (CA). A private and public key are created during this process.
Creating a self-signed certificate generates a self-signed X509 certificate
in the identified key database. A self-signed certificate has the
same issuer name as its subject name.
About this task
Use this procedure if you are acting as your own CA for a
private Web network. Use the IKEYCMD command-line interface or the
GSKCapiCmd tool to create a self-signed certificate.
Procedure
- Create a self-signed certificate using the IKEYCMD command-line
interface, as follows:
gskcmd -cert -create -db <filename> -pw <password> -size <2048 | 1024 | 512> -dn <distinguished_name>
-label label> -default_cert <yes | no> - expire <days> -san dnsname <DNS name value>[,<DNS name value>]
-san emailaddr <email address value>[,<email address value>]
-san ipaddr <IP address value>[,<IP address value>][-ca <true | false>]
where:- -cert specifies a self-signed certificate.
- -create specifies a create action.
- -db <filename> is the name of the database.
- -pw <password> is the password to access
the key database.
- -dn <distinguished_name> - indicates an
X.500 distinguished name. Input as a quoted string of the following
format (Only CN, O, and C are required): CN=common_name, O=organization,
OU=organization_unit, L=location, ST=state, province, C=country
For
example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP
Server,L=RTP,ST=NC,C=US"
- -label <label> is a descriptive comment
used to identify the key and certificate in the database.
- -size <2048 | 1024 | 512> indicates a key
size of 2048, 1024, or 512. The default key size is 1024. The 2048
key size is available if you are using Global Security Kit (GSKit)
Version 7.0.4.14 and later.
- -default_cert<yes | no> specifies whether
this is the default certificate in the key database.
- -expire <days> indicates the default validity
period for new self-signed digital certificates is 365 days. The minimum
is 1 day. The maximum is 7300 days (twenty years).
- -san * <subject alternate name attribute value>
| <subject alternate name attribute value> specifies
the subject alternate name extensions in the certificate request that
inform SSL clients of alternate hostnames that correspond to the signed
certificate.
These options are only valid if the following line
is entered in the
ikminit.properties file. DEFAULT_SUBJECT_ALTERNATE_NAME_SUPPORT=
true.
The * (asterisk) can have the following values:
- dnsname
- The value must be formatted using the "preferred name syntax"
according to RFC 1034, such as the example, zebra,tek.ibm.com.
- emailaddr
- The value must be formatted as an "addr-spec" according to RFC
822, such as the example, myname@zebra.tek.ibm.com
- ipaddr
- The value is a string representing an IP address formatted according
to RFC 1338 and RFC 1519, such as the example, 193.168.100.115
The values of these options are accumulated into the
subject alternate name extended attribute of the generated certificate.
If the options are not used then this extended attribute is not added
to the certificate.
- -ca <true | false> specifies the basic
constraint extension to the self-signed certificate. The extension
is added with a CA:true and PathLen:<max
int> if the value passed is true or not added if the value
passed is false.
- Create a self-signed certificate using the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate
requests within a CMS key database. The tool has all of the functionality
that the existing GSKit Java command
line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases.
If you plan to manage key databases other than CMS or PKCS11, use
the existing Java tool. You can use GSKCapiCmd
to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
gskcapicmd -cert -create [-db <name>]|[-crypto <module name> -tokenlabel <token label>][-pw <passwd>]
-label <label> -dn <dist name> [-size <2048|1024|512>][-x509version <1|2|3>][-default_cert <yes|no>]
[-expire <days>][-secondaryDB <filename> -secondaryDBpw <password>] [-ca <true|false>][-fips]
[-sigalg<md5|sha1|sha224|sha256|sha384|sha512>]
Note: On Unix type operating systems it is recommended to always
encapsulate string values associated with all tags in double quotes
(“”). You will also need to escape, using a ‘\' character, the following
characters if they appear in the string values: ‘!', ‘\', ‘”', ‘`'.
This will prevent some command line shells from interpreting specific
characters within these values. (e.g. gsk7capicmd –keydb –create –db
“/tmp/key.kdb” –pw “j\!jj”). Note however when prompted by gsk7capicmd
for a value (for example a password) quoting the string and adding
the escape characters should not be done. This is because the shell
is no longer influencing this input.