Receiving a signed cert from a Certificate authority

Home

Receiving a signed certificate from a certificate authority

+
Search Tips | Advanced Search

This topic describes how to receive an electronically mailed certificate from a certificate authority (CA) that is designated as a trusted CA on your server.
By default, the following CA certificates are stored in the key database and marked as trusted CA certificates:

Verisign Class 2 OnSite Individual CA
Verisign International Server CA -- Class 3
VeriSign Class 1 Public Primary CA -- G2
VeriSign Class 2 Public Primary CA -- G2
VeriSign Class 3 Public Primary CA -- G2
VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
VeriSign Class 2 CA Individual Subscriber-Persona Not Validated
VeriSign Class 3 CA Individual Subscriber-Persona Not Validated
RSA Secure Server CA (from RSA)
Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA

In addition to the certificate for your server, the CA can also send additional signing certificates or intermediate CA certificates.
Verisign requires an intermediate CA certificate, which it sends along with the Global Server ID certificate. Before receiving the server certificate, receive any additional intermediate CA certificates.
If the CA that issuing your CA-signed certificate is not a trusted CA in the key database, designate the CA as a trusted CA to receive your CA-signed certificate into the database. You cannot receive a CA-signed certificate from a CA not a trusted CA.

Use gsk7cmd to receive CA-signed certificates

Receive the CA-signed certificate into a key database using the gsk7cmd command-line interface...
/IBM/IHS/bin/gsk7cmd -cert 
                     -receive 
                     -file <filename> 
                     -db <filename> 
                     -pw <password> 
                     -format <ascii | binary> -
                     label <label> 
                     -default_cert <yes | no>
...where...

-cert self-signed certificate.
-receive Receive action.
-file <filename> File containing the CA certificate.
-db <filename> Name of the database.
-pw <password> Password to access the key database.
-format <ascii | binary> Certificate authority might provide the CA certificate in either ASCII or binary format.
-default_cert <yes | no> Default certificate in the key database.
-label Label that is attached to a CA certificate.
-trust CA can be trusted. Use enable options when receiving a CA certificate.

Receive the CA-signed certificate into a key database using GSKCapiCmd

GSKCapiCmd manages...

keys
certificates
certificate requests

...within a CMS key database. GSKCapiCmd has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases.
If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool.
You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
/IBM/IHS/bin/gsk7capicmd -cert 
                         -receive 
                         -file <name> 
                         -db <name> 
                         [-crypto <module name> 
                         [-tokenlabel <token label>]]
                         [-pw <passwd>]
                         [-default_cert <yes|no>]
                         [-fips>
Related concepts
Managing keys with the gsk7cmd command line interface (Distributed systems)

-cert	self-signed certificate.
-receive	Receive action.
-file <filename>	File containing the CA certificate.
-db <filename>	Name of the database.
-pw <password>	Password to access the key database.
-format <ascii \| binary>	Certificate authority might provide the CA certificate in either ASCII or binary format.
-default_cert <yes \| no>	Default certificate in the key database.
-label	Label that is attached to a CA certificate.
-trust	CA can be trusted. Use enable options when receiving a CA certificate.