Installing the CA root certificate

Instead of setting up its own certificate authority, a company may use a third-party certificate authority to sign its server certificates. The client and server must have access to the third-party CA's root certificate to verify the server certificates that are signed by the third-party CA.

GSKit ships with a collection of third-party root certificates from well-known CA companies, such as Thawte, Verisign, and Entrust. If the server is going to use one of these well-known companies to sign its certificates, this step can be skipped. But if the server is going to use certificates from a third-party CA whose root certificate is not shipped with GSKit, the third-party CA's root certificate must be imported to both the server and the clients' key database files.

  1. Obtain the CA root certificate. This process for this varies depending on the third-party CA's procedures. Third-party CAs often make their root certificates available for download.
  2. Add the third-party's root CA certificate to both server and client key databases and mark it as trusted, as follows:

    gsk8capicmd_64 -cert -add -db server.kdb -stashed -label "Some CA root" -file ca.der -format binary -trust enable gsk8capicmd_64 -cert -add -db client.kdb -stashed -label "Some CA root" -file ca.der -format binary -trust enable

    This example uses a third-party CA root certificate that is in a binary format. If the certificate is in an ASCII format, use the -format ascii option. The -db parameter specifies the name of the key database to import the third-party CA root certificate into. The -label parameter specifies the label to use for the third-party CA root certificate inside the key database file. The -file parameter specifies the file that contains the third-party CA root certificate.