[AIX HP-UX Linux Solaris Windows]

Creating a new key pair and certificate request

You find key pairs and certificate requests stored in a key database. This topic provides information on how to create a key pair and certificate request.

About this task

Create a public and private key pair and certificate request using the gsk7cmd command-line interface or GSKCapiCmd tool, as follows:

Procedure

  1. Use the gsk7cmd command-line interface. Enter the following command (as one line): [sep2010]
    <ihsinst>/bin/gsk7cmd -certreq -create -db <filename> -pw <password> -label <label> -dn <distinguished_name> -size <2048 | 1024 | 512> -file <filename> -san_dnsname <DNS name value=[,<DNS name value>] -san_emailaddr <email addres value=[,<email address value>] -san_ipaddr <IP address value>[,<IP address value>]
    [sep2010]
    sep2010
    where:
    • -certreq specifies a certificate request.
    • -create specifies a create action.
    • -db <filename> specifies the name of the database.
    • -pw is the password to access the key database.
    • label indicates the label attached to the certificate or certificate request.
    • dn <distinguished_name> indicates an X.500 distinguished name. Input as a quoted string of the following format (only CN, O, and C are required): CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country
      Note: For example, "CN=weblinux.raleigh.ibm.com,O=IBM,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
    • -size <2048 | 1024 | 512> indicates a key size of 2048, 1024, or 512. The default key size is 1024. The 2048 key size is available if you are using Global Security Kit (GSKit) Version 7.0.4.14 and later.
    • -file <filename> is the name of the file where the certificate request will be stored.
    • [sep2010] -san * <subject alternate name attribute value> | <subject alternate name attribute value> specifies the subject alternate name extensions in the certificate request that inform SSL clients of alternate hostnames that correspond to the signed certificate.
      These options are only valid if the following line is entered in the ikminit.properties file. DEFAULT_SUBJECT_ALTERNATE_NAME_SUPPORT=true. The * (asterisk) can have the following values:
      dnsname
      The value must be formatted using the "preferred name syntax" according to RFC 1034, such as the example, zebra,tek.ibm.com.
      emailaddr
      The value must be formatted as an "addr-spec" according to RFC 822, such as the example, myname@zebra.tek.ibm.com
      ipaddr
      The value is a string representing an IP address formatted according to RFC 1338 and RFC 1519, such as the example, 193.168.100.115
      The values of these options are accumulated into the subject alternate name extended attribute of the generated certificate. If the options are not used then this extended attribute is not added to the certificate.
      [sep2010]
      sep2010
    • [sep2010] -ca <true | false> specifies the basic constraint extension to the self-signed certificate. The extension is added with a CA:true and PathLen:<max int> if the value passed is true or not added if the value passed is false. [sep2010]
      sep2010
    Use the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
    <ihsinst>/bin/gsk7capicmd -certreq -create -db <name> [-crypto <module name> [-tokenlabel <token label>]] 
    [-pw <passwd>] -label <label> -dn <dist name> [-size <2048 | 1024 | 512>] -file <name> [-secondaryDB 
    <filename> -secondaryDBpw <password>] [-fips] [-sigalg <md5 | sha1 [sep2010] |sha224|sha256|sha384|sha512> [sep2010]
    sep2010
    ]
    Avoid trouble: [sep2010] On Unix type operating systems it is recommended to always encapsulate string values associated with all tags in double quotes (“”). You will also need to escape, using a ‘\' character, the following characters if they appear in the string values: ‘!', ‘\', ‘”', ‘`'. This will prevent some command line shells from interpreting specific characters within these values. (e.g. gsk7capicmd –keydb –create –db “/tmp/key.kdb” –pw “j\!jj”). Note however when prompted by gsk7capicmd for a value (for example a password) quoting the string and adding the escape characters should not be done. This is because the shell is no longer influencing this input. [sep2010]
    sep2010
    gotcha
  2. Verify that the certificate was successfully created:
    1. View the contents of the certificate request file you created.
    2. Ensure that the key database recorded the certificate request:
      <ihsinst>/bin/gsk7cmd -certreq -list -db <filename> -pw <password>

      You should see the label listed that you just created.

  3. Send the newly-created file to a certificate authority.



Related concepts
Managing keys with the gsk7cmd command line interface (Distributed systems)
Related information
[sep2010] ftp://public.dhe.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf [sep2010]
sep2010
[sep2010] ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_CapiCmd_UserGuide.pdf [sep2010]
sep2010
Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 11:50:03 AM CDT
File name: tihs_keypair390.html