Create a self-signed certificate
A self-signed certificate provides a certificate to enable SSL sessions between clients and the server, while waiting for the officially-signed certificate to be returned from the certificate authority (CA). A private and public key are created during this process. Creating a self-signed certificate generates a self-signed X509 certificate in the identified key database. A self-signed certificate has the same issuer name as its subject name.
Overview
Use this procedure if we are acting as our own CA for a private Web network. Use the IKEYCMD command-line interface or the GSKCapiCmd tool to create a self-signed certificate.
Procedure
- Create a self-signed certificate using the IKEYCMD command-line interface, as follows:
gsk7cmd -cert -create -db <filename> -pw <password> -size <1024 | 512> -dn <distinguished_name> -label <label> -default_cert <yes | no> - expire <days>where:
- -cert specifies a self-signed certificate.
- -create specifies a create action.
- -db <filename> is the name of the database.
- -pw <password> is the password to access the key database.
- -dn <distinguished_name> - indicates an X.500 distinguished name. Input as a quoted string of the following format (Only CN, O, and C are required): CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country
For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
- -label <label> is a descriptive comment used to identify the key and certificate in the database.
- -size specifies the key size 512 or 1024.
- -default_cert<yes | no>specifies whether this is the default certificate in the key database.
- -expire <days> indicates the default validity period for new self-signed digital certificates is 365 days. The minimum is 1 day. The maximum is 7300 days (twenty years).
- Create a self-signed certificate using the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. We can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
gsk7capicmd -cert -create [-db <name>]|[-crypto <module name> -tokenlabel <token label>][-pw <passwd>] -label <label> -dn <dist name> [-size <2048|1024|512>][-x509version <1|2|3>][-default_cert <yes|no>] [-expire <days>][-secondaryDB <filename> -secondaryDBpw <password>] [-ca <true|false>][-fips] [-sigalg<md5|sha1>]
Related concepts
Manage keys with the IKEYCMD command line interface (Distributed systems)