Scope: Referring this document you could create a certificate signer request for having it signed by any of the certificate authorities(CA) this document provides a practical approach with details steps, IBM GSkit has both graphical and text based tools to manage the Certificates and Key Database, this document includes both options. I will update this document to include any special instructions for other versions.
Product and Versions:
* IBM GSKit 7.x
* AIX Platform.
* IBM GSKit 7.x
* AIX Platform.
* Windows Platform.
Acronyms:
* GSKit - IBM GSKit
Acronyms:
* GSKit - IBM GSKit
* SSL - Secure Socket Layer
* KDB - Key Database.
* CA - Certificate Authority.
Assumptions:
* IBM GSKit has been installed on AIX or Windows.
Option One: Using Command line tools / Utilities.
Step 1: Login to AIX or Windows machin where GSKit is installed.
Step 4: Create a certificate signer request (CSR).
Please refer to "how to Update/Receive a CA signed cert into the Key Database(link coming soon)" for steps on how to receive the signed cert in to the Key Database and associate it with the KEY pair generated during the CSR creation.
Step 5: Create a Certificate Signer Request.
a) Select "Personal Certificate Requests" from the list and click on "New" button.
c) You will see a message stating the certificate request has been created and CSR extract has been saved under e:\mykeys\example.com.arm
d) Exit from the gsk7ikm utility.
Summary: In this how-to, you created a KEY database file of type "CMS" and created a Certificate Signer request by name example.com, when you create a Certificate Signer Request a key is generated and the CSR will be used by the CA to sign the cert/key which is then associated with KEY created during the CSR creation.. you could use this CA signed cert to enable SSL on IHS and many other IBM products.
Comments welcome!!
* CA - Certificate Authority.
Assumptions:
Option One: Using Command line tools / Utilities.
Step 1: Login to AIX or Windows machin where GSKit is installed.
Step 2: Open command prompt for windows or a Login to a shell for AIX.
Step 3: Create a KDB of type CMS, by running the below command.
gsk7cmd -keydb -create -db [Key Database file Name] -pw [password] -type cms -stash
Example:
gsk7cmd -keydb -create -db example.com.kdb -pw somepassword -type cms -stash
Note: Make sure the commands gsk7ikm and java are part of the PATH location and JAVA_HOME variable is set to point to the java installation location.
Step 4: Create a certificate signer request (CSR).
gsk7cmd -certreq -create -db [KDB file name and path] -pw [password] -type cms -label [unique label within the kdb file] -dn "CN=[domainname],O=[Organization Name],L=[location],S=[state],C=[country]" -size 2048 -default_cert no
Example:
gsk7cmd -certreq -create -db example.com.kdb -pw password -type cms -label example.com -dn "CN=example.com,O=Example Inc,L=Mountain View,S=California,C=US" -size 2048 -default_cert no
Step 4: Extract the certificate signer request from the KDB so you could send it to CA to have the cert signed.
gsk7cmd -certreq -extract -db [KDB file name and path] -pw [password] -type cms -label [CRS label name in KDB] -target [path and file name of the file where the extracted CSR to be stored]
Step 4: Extract the certificate signer request from the KDB so you could send it to CA to have the cert signed.
gsk7cmd -certreq -extract -db [KDB file name and path] -pw [password] -type cms -label [CRS label name in KDB] -target [path and file name of the file where the extracted CSR to be stored]
Example:
gsk7cmd -certreq -extract -db example.com.kdb -pw password -type cms -label example.com -target /home/iuser/example.com.arm
Step5: Send the extracted CSR (example.com.arm) to your preffered Certificate Authority (CA) and request for signing the CSR, once the CSR is signed you would receive a signed certificate.
Option Two: Using Graphical user interface.
Step 1: Login to AIX or Windows machin where GSKit is installed.
Step 2: Open command prompt for windows or a Login to a shell for AIX.
Note: For AIX you should have X server running locally(desktop) where you export the display from AIX to your machine.
Step 3: Launch the IBM GSKit Key Management Tool.
On AIX: 'gsk7ikm' command on AIX
On Windows: Start the IBM Key Management tool from windows START -> Programs -> IBM GSKIT -> IBM Key Management
Note: Make sure the commands gsk7ikm and java are part of the PATH location and JAVA_HOME variable is set to point to the java installation location.
Step 4: Create a KDB of type CMS.
a) Click on "Key Database File" menu and select "new" as shown in the below screen shot.
b) Select the Key Database Type as "CMS" and enter the KDB file name and path where the file to be created and click "OK"
c) Enter the "password" and "confirm password", enable the "stash the password to file option" and click "OK"
Step 5: Create a Certificate Signer Request.
a) Select "Personal Certificate Requests" from the list and click on "New" button.
b) Enter the Certificate details as shown below and click "OK".
c) You will see a message stating the certificate request has been created and CSR extract has been saved under e:\mykeys\example.com.arm
d) Exit from the gsk7ikm utility.
Step 6: Send the extracted CSR (example.com.arm) to your preffered Certificate Authority (CA) and request for signing the CSR, once the CSR is signed you would receive a signed certificate.
Please refer to "how to Update/Receive a CA signed cert into the Key Database(link coming soon)" for steps on how to receive the signed cert in to the Key Database and associate it with the KEY pair generated during the CSR creation.
Summary: In this how-to, you created a KEY database file of type "CMS" and created a Certificate Signer request by name example.com, when you create a Certificate Signer Request a key is generated and the CSR will be used by the CA to sign the cert/key which is then associated with KEY created during the CSR creation.. you could use this CA signed cert to enable SSL on IHS and many other IBM products.
Comments welcome!!
No comments:
Post a Comment