Requesting a certificate using a signing request

In this scenario, GSKit creates a certificate request, the third-party CA signs the certificate in the request, and GSKit imports the signed certificate into the server key database.

Procedure

  1. Generate a server certificate request using the server's key database file.

    gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label "Some CA signed certificate" -dn "CN=host.mycompany.com,O=company,C=country" -file cert_request.arm

    The -db parameter specifies the name of the server's key database file. The -label parameter specifies a label to refer to the newly created certificate in the key database file. The -dn parameter specifies the distinguished name to be used on the server's certificate. The -file parameter specifies the file to contain the exported certificate signing request. The CN parameter specifies the DNS name of your server. This is necessary for an SSL client to validate the certificate.

    You can also request SAN extension by using -san_dnsname or -san_ipaddr options, for example:

    gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label "Some CA signed certificate" -dn "CN=host.mycompany.com,OU=unit,O=company" -san_dnsname "host1.mycompany.com,host2.mycompany.com" -san_ipaddr "10.10.10.1,10.10.10.2" -file cert_request.arm

  2. Send the certificate request (that is, the cert_request.arm file) to the CA. The process for submitting a certificate signing request varies among CA companies. Often the signing request can be submitted using a web form.
  3. The CA then returns the signed certificate. In this scenario, the assumption is that the signed certificate is in a file that is called cert_signed.arm and is in an ASCII format.
  4. Receive the signed certificate into the server's key database file and set it as the default for communicating with clients

    gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file cert_signed.arm -default_cert yes

    The -db parameter specifies the name of the server's key database file. The -file parameter specifies the name of the file that contains the signed certificate.