Installing the CA root certificate
Instead of setting up its own certificate authority, a company may use a third-party certificate authority to sign its server certificates. The client and server must have access to the third-party CA's root certificate to verify the server certificates that are signed by the third-party CA.
GSKit ships with a collection of third-party root certificates from well-known CA companies, such as Thawte, Verisign, and Entrust. If the server is going to use one of these well-known companies to sign its certificates, this step can be skipped. But if the server is going to use certificates from a third-party CA whose root certificate is not shipped with GSKit, the third-party CA's root certificate must be imported to both the server and the clients' key database files.
- Obtain the CA root certificate. This process for this varies depending on the third-party CA's procedures. Third-party CAs often make their root certificates available for download.
Add the third-party's root CA certificate to both server and client key databases and mark it
as trusted, as follows:
gsk8capicmd_64 -cert -add -db server.kdb -stashed -label "Some CA root" -file ca.der -format binary -trust enable gsk8capicmd_64 -cert -add -db client.kdb -stashed -label "Some CA root" -file ca.der -format binary -trust enable
This example uses a third-party CA root certificate that is in a binary format. If the certificate is in an ASCII format, use the -format ascii option. The -db parameter specifies the name of the key database to import the third-party CA root certificate into. The -label parameter specifies the label to use for the third-party CA root certificate inside the key database file. The -file parameter specifies the file that contains the third-party CA root certificate.