Requesting a certificate using a signing request
In this scenario, GSKit creates a certificate request, the third-party CA signs the certificate in the request, and GSKit imports the signed certificate into the server key database.
Procedure
-
Generate a server certificate request using the server's key database file.
gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label "Some CA signed certificate" -dn "CN=host.mycompany.com,O=company,C=country" -file cert_request.arm
The -db parameter specifies the name of the server's key database file. The -label parameter specifies a label to refer to the newly created certificate in the key database file. The -dn parameter specifies the distinguished name to be used on the server's certificate. The -file parameter specifies the file to contain the exported certificate signing request. The CN parameter specifies the DNS name of your server. This is necessary for an SSL client to validate the certificate.
You can also request SAN extension by using -san_dnsname or -san_ipaddr options, for example:
gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label "Some CA signed certificate" -dn "CN=host.mycompany.com,OU=unit,O=company" -san_dnsname "host1.mycompany.com,host2.mycompany.com" -san_ipaddr "10.10.10.1,10.10.10.2" -file cert_request.arm
-
Send the certificate request (that is, the cert_request.arm file) to the
CA. The process for submitting a certificate signing request varies among CA companies. Often the
signing request can be submitted using a web form.
- The CA then returns the signed certificate. In this scenario, the assumption is that the signed certificate is in a file that is called cert_signed.arm and is in an ASCII format.
-
Receive the signed certificate into the server's key database file and set it as the default
for communicating with clients
gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file cert_signed.arm -default_cert yes
The -db parameter specifies the name of the server's key database file. The -file parameter specifies the name of the file that contains the signed certificate.