Receiving a signed certificate from a certificate authority
This topic describes how to receive an electronically mailed certificate from a certificate authority (CA) that is designated as a trusted CA on your server. A certificate authority is a trusted third-party organization or company that issues digital certificates that are used to create digital signatures and public-private key pairs. By default, the following CA certificates are stored in the key database and marked as trusted CA certificates:
- Verisign Class 2 OnSite Individual CA
- Verisign International Server CA -- Class 3
- VeriSign Class 1 Public Primary CA -- G2
- VeriSign Class 2 Public Primary CA -- G2
- VeriSign Class 3 Public Primary CA -- G2
- VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
- VeriSign Class 2 CA Individual Subscriber-Persona Not Validated
- VeriSign Class 3 CA Individual Subscriber-Persona Not Validated
- RSA Secure Server CA (from RSA)
- Thawte Personal Basic CA
- Thawte Personal Freemail CA
- Thawte Personal Premium CA
- Thawte Premium Server CA
- Thawte Server CA
The certificate authority can send more than one certificate. In addition to the certificate for our server, the CA can also send additional signing certificates or intermediate CA certificates. For example, Verisign includes an intermediate CA certificate when sending a Global Server ID certificate. Before receiving the server certificate, receive any additional intermediate CA certificates. Follow the instructions in the Storing a CA certificate topic to receive intermediate CA certificates.
If the CA that issuing your CA-signed certificate is not a trusted CA in the key database, store the CA certificate first and designate the CA as a trusted CA. Then we can receive our CA-signed certificate into the database. We cannot receive a CA-signed certificate from a CA that is not a trusted CA. For instructions, see Storing a certificate authority certificate.
Receive the CA-signed certificate into a key database using the IKEYCMD command-line interface....
gsk7cmd -cert -receive -file <filename> -db <filename> -pw <password> -format <ascii | binary> -label <label> -default_cert <yes | no>
where:
- -cert specifies a self-signed certificate.
- -receive specifies a receive action.
- -file <filename> is a file containing the CA certificate.
- -db <filename> is the name of the database.
- -pw <password> is the password to access the key database.
- -format <ascii | binary> specifies that the certificate authority might provide the CA certificate in either ASCII or binary format.
- -default_cert <yes | no> indicates whether this is the default certificate in the key database.
- -label specifies the label that is attached to a CA certificate.
- -trust indicates whether this CA can be trusted. Use enable options when receiving a CA certificate.
Receive the CA-signed certificate into a key database using the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. We can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system. gsk7capicmd -cert -receive -file <name> -db <name> [-crypto <module name> [-tokenlabel <token label>]][-pw <passwd>][-default_cert <yes|no>][-fips>
Related concepts
Manage keys with the IKEYCMD command line interface (Distributed systems)