Creating a Certificate Authority

CA is short for Certificate Authority. A CA issues certificates for email accounts, web sites, or Java applets. This only expresses a trust relationship. If you trust the CA, then you automatically trust all the certificates that have been issued by the CA.

About this task

The following steps allow you to create your own CA certificate.

Procedure

  1. Initialize the CA key database and create the CA certificate. For example:

    gsk8capicmd_64 -cert -create -db server.kdb -stashed -dn "CN=myserver,OU=mynetwork,O=mycompany,C=mycountry" -expire 7300 -label "My self-signed certificate" -default_cert yes

    The -db parameter specifies the file name to be used for the CA's key database file. The -pw parameter specifies the password to use to protect the key database file. The -expire parameter indicates the number of days before the certificate expires. The dn parameter specifies the distinguished name use on the CA certificate. The label parameter specifies the name to be used for the CA certificate in the key database file.

  2. Extract the CA's root certificate. This certificate must be installed at both the clients and servers:

    gsk8capicmd_64 -cert -extract -db ca.kdb -stashed -label "CA cert" -format ascii -target ca.arm

    The -db parameter specifies the file name of the CA's key database file. The -label parameter specifies the CA's certificate label in the key database file. The -target parameter specifies the file that is stored in the exported CA certificate.