Create a self-signed certificate

A self-signed certificate provides a certificate to enable SSL sessions between clients and the server, while waiting for the officially-signed certificate to be returned from the certificate authority (CA). A private and public key are created during this process. Creating a self-signed certificate generates a self-signed X509 certificate in the identified key database. A self-signed certificate has the same issuer name as its subject name.


About this task

Use this procedure if you are acting as your own CA for a private Web network. Use the IKEYCMD command-line interface or the GSKCapiCmd tool to create a self-signed certificate.


Procedure

  • Create a self-signed certificate using the IKEYCMD command-line interface, as follows: 
    install_root/bin/gskcmd -cert 
                        -create 
                        -db filename
                       [-pw password | -stashed] 
                        -size 2048 | 1024 | 512
                        -dn distinguished_name 
                        -label label 
                        -default_cert yes | no
                        -san dnsname <DNS name value>[,<DNS name value>]
                        -san emailaddr <email address value>[,<email address value>]
                        -san ipaddr <IP address value>[,<IP address value>][-ca true | false]

    where:

    • -cert specifies a self-signed certificate.

    • -create specifies a create action.

    • -db filename is the name of the database.

    • -pw password is the password to access the key database.

    • -stashed indicates that the password for the key database should be recovered from the stash file.

    • -dn distinguished_name - indicates an X.500 distinguished name. Input as a quoted string of the following format (Only CN, O, and C are required): CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country

      For example, CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP Server,L=RTP,ST=NC,C=US

    • -label label is a descriptive comment used to identify the key and certificate in the database.

    • -size 2048 | 1024 | 512 indicates a key size of 2048, 1024, or 512. The default key size is 1024. The 2048 key size is available if you are using Global Security Kit (GSKit) Version 7.0.4.14 and later.

    • -default_cert yes | no specifies whether this is the default certificate in the key database.

    • -san * <subject alternate name attribute value> | <subject alternate name attribute value> specifies the subject alternate name extensions in the certificate request that inform SSL clients of alternate hostnames that correspond to the signed certificate.These options are only valid if the following line is entered in the ikminit.properties file. DEFAULT_SUBJECT_ALTERNATE_NAME_SUPPORT=true. The * (asterisk) can have the following values:
      dnsname
      The value must be formatted using the preferred name syntax according to RFC 1034. For example, zebra,tek.ibm.com.
      emailaddr
      The value must be formatted as an addr-spec according to RFC 822. For example, myname@zebra.tek.ibm.com
      ipaddr
      The value is a string representing an IP address formatted according to RFC 1338 and RFC 1519. For example, 193.168.100.115
      The values of these options are accumulated into the subject alternate name extended attribute of the generated certificate. If the options are not used then this extended attribute is not added to the certificate.

    • -ca true | false specifies the basic constraint extension to the self-signed certificate. The extension is added with a CA:true and PathLen:<max int> if the value passed is true or not added if the value passed is false.

  • Create a self-signed certificate using the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. We can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
    install_root/bin/gskcapicmd -cert -create 
[-db name]|[-crypto module_name -tokenlabel token_label]
[-pw password | -stashed] -label label -dn dist_name 
[-size 2048 | 1024 | 512] [-x509version 1 | 2 | 3] 
[-default_cert yes | no] [-secondaryDB filename -secondaryDBpw password] [-ca true | false] [-fips] [-sigalg md5 | sha1| sha224 | sha256 | sha384 | sha512]

    Note: On Unix type operating systems it is recommended to always encapsulate string values associated with all tags in double quotes (“”). You will also need to escape, using a ‘\' character, the following characters if they appear in the string values: ‘!', ‘\', ‘”', ‘`'. This will prevent some command line shells from interpreting specific characters within these values. (e.g. gsk7capicmd -keydb -create -db “/tmp/key.kdb” -pw “j\!jj”). Note however when prompted by gsk7capicmd for a value (for example a password) quoting the string and adding the escape characters should not be done. This is because the shell is no longer influencing this input.


Related