+

Search Tips   |   Advanced Search

Home

 

Creating a new key pair and certificate request

You find key pairs and certificate requests stored in a key database. This topic provides information on how to create a key pair and certificate request.

Create a public and private key pair and certificate request using the gsk7cmd command-line interface or GSKCapiCmd tool...

  1. Use the gsk7cmd command-line interface. Enter the following command (as one line): 

    /IBM/IHS/bin/gsk7cmd -certreq -create -db <filename> -pw <password> -label <label> -dn <distinguished_name> -size <1024 | 512> -file <filename>
    where:

    • -certreq specifies a certificate request.

    • -create specifies a create action.

    • -db <filename> specifies the name of the database.

    • -pw is the password to access the key database.

    • label indicates the label attached to the certificate or certificate request.

    • dn <distinguished_name> indicates an X.500 distinguished name. Input as a quoted string of the following format (only CN, O, and C are required): CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country

      For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"

    • -size <1024 | 512> indicates a key size of 512 or 1024.

    • -file <filename> is the name of the file where the certificate request will be stored.
    Use the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system. 

    /IBM/IHS/bin/gsk7capicmd -certreq -create -db <name> [-crypto <module name> [-tokenlabel <token label>]] 
[-pw <passwd>] -label <label> -dn <dist name> [-size ,2048 | 1024 | 512>] -file <name> [-secondaryDB 
<filename> -secondaryDBpw <password>] [-fips] [-sigalg <md5 | sha1]

  2. Verify that the certificate was successfully created:

    1. View the contents of the certificate request file you created.

    2. Verify the key database recorded the certificate request: 

      /IBM/IHS/bin/gsk7cmd -certreq -list -db <filename> -pw <password>

      You should see the label listed that you just created.

  3. Send the newly-created file to a certificate authority.

 

Related concepts

Managing keys with the gsk7cmd command line interface (Distributed systems)