Creating a self-signed certificate
In certain contexts, obtaining a certificate from a third-party certificate authority (CA) is unnecessary. In these cases, you can use the GSKit to create a self-signed certificate.
About this task
A self-signed certificate consists of a public/private key pair and a certificate for the public key that is signed by the private key. It is also known as a root certificate because it can be used to create a Certificate Authority.
Self-signed certificates can also be used in simple scenarios when both the client and the server are known to each other and can exchange certificates securely out-of-band.
To generate a self-signed certificate and store it in the key database, use the following command:
Procedure
- Open the command line to create and initialize a new key database.
-
Run the command gsk8capicmd_64 -cert -create -db server.kdb -stashed -dn
"CN=myserver,OU=mynetwork,O=mycompany,C=mycountry" -expire 7300 -label "My self-signed certificate"
-default_cert yes
The -db parameter specifies the key database where the self-signed certificate should be stored. The -dnparameter specifies the distinguished name to use on the public key certificate. The -expire parameter indicates the number of days the certificate is valid. The label parameter is a name to use for the self-signed certificate within the key database. The -default_cert parameter makes the newly created certificate the default and is an optional parameter.
In the example scenarios, the following key database names are used:
- server.kdb: Server key database
- client.kdb: Client key database
ca.kdb:Certificate Authority key database