Home
Creating a self-signed certificate
A self-signed certificate provides a certificate to enable SSL sessions between clients and the server, while waiting for the officially-signed certificate to be returned from the certificate authority (CA). A private and public key are created during this process. Creating a self-signed certificate generates a self-signed X509 certificate in the identified key database. A self-signed certificate has the same issuer name as its subject name.
Use this procedure if we are acting as our own CA for a private Web network. Use the ikeyman command-line interface or the GSKCapiCmd tool to create a self-signed certificate.
Create a self-signed certificate iKeyman
gsk7cmd -cert -create -db <filename> -pw <password> -size <1024 | 512> -dn <distinguished_name> -label label> -default_cert <yes | no> -expire <days>where:
-cert self-signed certificate. -create create action. -db <filename> name of the database. -pw <password> password to access the key database. -dn <distinguished_name> X.500 distinguished name. Input as a quoted string of the following format (Only CN, O, and C are required):
CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=countryFor example
"CN=portal1.setgetweb.com,O=setgetweb,OU=IHS,L=MSP,ST=MN,C=US"-label <label> descriptive comment used to identify the key and certificate in the database. -size key size 512 or 1024. -default_cert<yes | no> whether this is the default certificate in the key database. -expire <days> default validity period for new self-signed digital certificates is 365 days. The minimum is 1 day. The maximum is 7300 days (twenty years). For example...
c:/IBM/IHSv7/bin/gsk7cmd.bat -cert -create -db keydb2.kdb -pw password -size 512 -dn "CN=portal1.setgetweb.com,O=setgetweb,OU=IHS,L=MSP,ST=MN,C=US" -label "IHS_WAS7_SS_CERT" -default_cert yes -expire 365
Create a self-signed certificate using GSKCapiCmd
GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases.
If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
gsk7capicmd -cert -create [-db <name>]| [-crypto <module name> -tokenlabel <token label>] [-pw <passwd>] -label <label> -dn <dist name> [-size <2048|1024|512>] [-x509version <1|2|3>] [-default_cert <yes|no>] [-expire <days>] [-secondaryDB <filename> -secondaryDBpw <password>] [-ca <true|false>] [-fips] [-sigalg<md5|sha1>]