Requesting a certificate without a signing request

Some Certificate Authorities do not accept signing request files. Instead, they generate the signing request internally on behalf of the requesting server and then sign it as one transaction. The CA then returns to the server two files, one containing the private key for the server to use and one containing the signed server certificate. In this example, the assumption of the two files is as follows:

  • host.mycompany.com.crt: This is the file that contains the signed server certificate.
  • host.mycompany.com.key: This is the file that contains the server's private key

To use these files, they must be converted to an industry standard format called PKCS12 before they can be imported into a key database.

  1. Use OpenSSL to convert the two files into a PKCS12 file as follows:

    openssl pkcs12 -export -in host.mycompany.com.crt -inkey host.mycompany.com.key -out host.mycompany.com.p12 -name "CA signed"

    The OpenSSL command prompts you to enter a password. This password is only used temporarily so it can be any arbitrary password. In this example, the password is set to abc. The -in parameter specifies the file that contains the signed server certificate. The -inkey parameter specifies the file that contains the server's private key.

  2. Import the certificate from the PKCS12 file to the server's key database file as follows:

    gsk8capicmd_64 -cert -import -db host.mycompany.com.p12 -pw abc -target server.kdb

    The -db parameter specifies the name of the PKCS12 file. The -pw parameter specifies the password that protects the PKCS12 file. The -target parameter specifies the name of the server's key database file. You are prompted for the password that protects the target database file.
  3. Make the imported certificate the default certificate to use for communications as follows:

    gsk8capicmd_64 -cert -receive -db server.kdb -stashed -file cert_signed.arm -default_cert yes

    The -db parameter specifies the name of the server's key database file. The -label parameter specifies a label of the imported certificate.