Issuing a server certificate with a CA

For clients to verify a server's identitiy, the CA must issue a signed server certificate to the server.

Procedure

  1. Add the CA's root certificate to the server's key database and mark it as trusted, as follows:

    gsk8capicmd_64 -cert -add -db server.kdb -stashed -label "My CA root" -file ca.arm -format ascii -trust enable

    The -db parameter specifies the of the server's key database file. The -label parameter specifies the label to use for the CA's root certificate in the database file. -file parameter specifies the file that contains the CA's root certificate.

  2. At the server, create a server certificate request, as follows:

    gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label "My CA signed certificate" -dn "CN=host.mycompany.com,OU=unit,O=company" -file cert_request.arm

    The -db parameter specifies the name of the server's key database file. The -label parameter specifies the label to use for the server certificate in the key database file. The -dn parameter specifies the distinguished name to use on the certificate. The CN parameter specifies the DNS name of your server, which is necessary for an SSL client to validate the certificate.

    You can also request a subject alternative name (SAN) extension by using -san_dnsname or -san_ipaddroptions. For example:

    gsk8capicmd_64 -certreq -create -db server.kdb -stashed -label "My CA signed certificate" -dn "CN=host.mycompany.com,OU=unit,O=company" -san_dnsname "host1.mycompany.com,host2.mycompany.com" -san_ipaddr "10.10.10.1,10.10.10.2" -file cert_request.arm

  3. The certificate request must be transported to the CA, and the CA must sign the certificate, as follows;

    gsk8capicmd_64 -cert -sign -file cert_request.arm -db ca.kdb -stashed -label "CA cert" -target cert_signed.arm -expire 364

    The -file parameter specifies the file that contains the certificate request. The -db parameter specifies the name of the CA's key database file. The -label parameter specifies the label of the CA's root certificate that should be used to sign the certificate request. The -target parameter specifies the file to be used for the signed server certificate.

    If a SAN extension was requested in the server certificate request, you can either use the -preserve option to keep the requested values or override them by specifying your own -san_dnsname or -san_ipaddr options with the -sign command. If you use both -preserve with -san_dnsname or -san_ipaddr, the values are merged with the ones requested. For example:

    gsk8capicmd_64 -cert -sign -file cert_request.arm -db ca.kdb -stashed -label "CA cert" -target cert_signed.arm -expire 364 -preserve -san_dnsname "host3.mycompany.com" -san_ipaddr "10.10.10.3"

    Note:

    At the time of this writing (GSKit version 8.0.14.22), there is a bug that generates invalid extensions when both -preserve and -san_dnsname or -san_ipaddr options are used. This bug prevents servers from receiving certificates that are signed with this combination of options. Avoid using -preserve until this problem is fixed.

  4. The server must receive the signed certificate from the CA and set it as the default for communicating with clients, as follows:

    gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file cert_signed.arm -default_cert yes

    The -db parameter specifies the name of the server's key database file. The -file parameter specifies the name of the file that contains the signed server certificate.