Creating a self-signed certificate

In certain contexts, obtaining a certificate from a third-party certificate authority (CA) is unnecessary. In these cases, you can use the GSKit to create a self-signed certificate.

About this task

A self-signed certificate consists of a public/private key pair and a certificate for the public key that is signed by the private key. It is also known as a root certificate because it can be used to create a Certificate Authority.

Self-signed certificates can also be used in simple scenarios when both the client and the server are known to each other and can exchange certificates securely out-of-band.

To generate a self-signed certificate and store it in the key database, use the following command:

Procedure

  1. Open the command line to create and initialize a new key database.
  2. Run the command gsk8capicmd_64 -cert -create -db server.kdb -stashed -dn "CN=myserver,OU=mynetwork,O=mycompany,C=mycountry" -expire 7300 -label "My self-signed certificate" -default_cert yes

    The -db parameter specifies the key database where the self-signed certificate should be stored. The -dnparameter specifies the distinguished name to use on the public key certificate. The -expire parameter indicates the number of days the certificate is valid. The label parameter is a name to use for the self-signed certificate within the key database. The -default_cert parameter makes the newly created certificate the default and is an optional parameter.

    In the example scenarios, the following key database names are used:

    • server.kdb: Server key database
    • client.kdb: Client key database

      ca.kdb:Certificate Authority key database