Create a new key pair and certificate request

+

Search Tips   |   Advanced Search

 

Create a new key pair and certificate request

We find key pairs and certificate requests stored in a key database. This topic provides information on how to create a key pair and certificate request.

 

Overview

Create a public and private key pair and certificate request using the IKEYCMD command-line interface or GSKCapiCmd tool, as follows:

 

Procedure

  1. Use the IKEYCMD command-line interface. Enter the following command (as one line):

    gsk7cmd -certreq -create -db <filename> -pw <password> -label <label> -dn <distinguished_name> -size <1024 | 512> -file <filename>
    
    
    where:

    • -certreq specifies a certificate request.

    • -create specifies a create action.

    • -db <filename> specifies the name of the database.

    • -pw is the password to access the key database.

    • label indicates the label attached to the certificate or certificate request.

    • dn <distinguished_name> indicates an X.500 distinguished name. Input as a quoted string of the following format (only CN, O, and C are required): CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country

      For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"

    • -size <1024 | 512> indicates a key size of 512 or 1024.

    • -file <filename> is the name of the file where the certificate request will be stored.

    Use the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. We can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.

    gsk7capicmd -certreq -create -db <name> [-crypto <module name> [-tokenlabel <token label>]] 
    [-pw <passwd>] -label <label> -dn <dist name> [-size,2048 | 1024 | 512>] -file <name> [-secondaryDB 
    <filename> -secondaryDBpw <password>] [-fips] [-sigalg <md5 | sha1]
    
    

  2. Verify that the certificate was successfully created:

    1. View the contents of the certificate request file we created.

    2. Make sure the key database recorded the certificate request:

      gsk7cmd -certreq -list -db <filename> -pw <password>
      
      

      You should see the label listed that we just created.

  3. Send the newly-created file to a certificate authority.




 

Related concepts



Manage keys with the IKEYCMD command line interface (Distributed systems)