Creating the keystore for a database client

About this task

The database client needs the CA certificate (chain) in order to authenticate the database server during the TLS handshake. Based on the examples above, the database server's user certificate was issued and signed by an in\u0002house CA. Therefore, the database client needs the CA certificate of this CA. As the CA used its root CA certificate to sign the database server's user certificate, there are no intermediate CAs involved. When authenticating the database server, the chain of certificates therefore is very simple. It consists only of the database server's user certificate and the CA's root CA certificate. The database client receives the database server's user certificate during the TLS handshake, and therefore only needs the root CA certificate in its own keystore. With that, just the PEM file with the root CA certificate is needed to create the database client's keystore.

Procedure

  1. Create an empty keystore for the database client: 
    $ gsk8capicmd -keydb -create -db client1.p12 -pw c1passwd -type p12

    The command creates the empty keystore in file "client1.p12". This keystore is protected with password "c1passwd". The option "-type p12" specifies the format PKCS #12 for the keystore.

  2. Add the root CA certificate to the database client's keystore: 
    $ gsk8capicmd -cert -add -db client1.p12 -pw c1passwd -label rootCA1 \
 -file rootCA1.cert.pem -format ascii

    The command adds the root CA certificate to the database client's keystore in file "client1.p12" using password "c1passwd". The certificate is stored in the keystore with label name "rootCA1". The certificate to add is in the input file "rootCA1.cert.pem", a PEM file as per the option "-format ascii". This is the PEM file with the root CA certificate that was extracted from the CA's keystore as last step of setting up the in-house CA described above.

    The root CA certificate in the database client's keystore can now be seen with this command:
    $ gsk8capicmd -cert -list -db client1.p12 -pw c1passwd
 Certificates found
 * default, - personal, ! trusted, # secret key
 ! rootCA1

    The certificate is listed as "trusted". This means it is a proper CA certificate and can be used to validate certificates that were signed with it. When the database client receives the database server's user certificate during the TLS handshake, the root CA certificate in the database client's keystore is available to validate the received certificate and authenticate the database server.