Steps for using a gskkyman key database

Perform the following steps to use a gskkyman key database for your server's certificate store:
Note: If the IBM® HTTP Server is installed and configured for SSL using gskkyman, you need to perform only steps 9, 10, 11, and 15.
  1. From the UNIX shell, cd to /etc and enter /usr/lpp/gskssl/bin/gskkyman.

    _______________________________________________________________

  2. Choose option 1 to create a key database. Type in a name or let it default to key .kdb and enter a password you want to use. When asked "Work with the database now?", enter 1 for yes.

    _______________________________________________________________

  3. Choose option 3 to create new key pair and certificate request. Answer the prompts for file name, label, key size (1024 is suggested), and subject name fields.
    Note: Common Name should be your server's symbolic IP address (for example, www.YourCompany.com).

    _______________________________________________________________

  4. Exit gskkyman when you are done.

    _______________________________________________________________

  5. From TSO, use the OGET command to put the certificate request in an MVS™ data set.
    Example:
    OGET '/etc/certreq.arm' certreq.arm

    _______________________________________________________________

  6. Use the RACDCERT command to read the request and generate the server certificate.
    Example:
    RACDCERT GENCERT(certreq.arm) ID(WEBSRV) SIGNWITH(CERTAUTH 
LABEL('Local PKI CA')) WITHLABEL('SSL Cert')

    _______________________________________________________________

  7. Export both the new server certificate and the CA certificate to MVS data sets, and OPUT these to file system files.
    Example:
    RACDCERT EXPORT(LABEL('SSL Cert')) ID(WEBSRV) DSN(cert.arm) 
FORMAT(CERTB64)
OPUT cacert.der '/var/pkiserv/cacert.der' BINARY

    _______________________________________________________________

  8. You can optionally delete both certificate TSO data sets (but not the file system files).

    _______________________________________________________________

  9. In the UNIX shell, cd to /etc and invoke /usr/lpp/gskssl/bin/gskkyman.

    _______________________________________________________________

  10. Choose option 2 to open the key database (created earlier). Reply to the name and password prompts.

    _______________________________________________________________

  11. Choose option 6 to store a CA certificate and specify the '/var/pkiserv/cacert.der' file.

    _______________________________________________________________

  12. When asked to "Exit gskkyman?", enter 0 for No.

    _______________________________________________________________

  13. Choose option 4 to receive a certificate issued for your request and specify the '/etc/cert.arm' file. Again enter 0 when asked to "Exit gskkyman?".

    _______________________________________________________________

  14. Choose option 11 to store encrypted database password.

    _______________________________________________________________

  15. Exit gskkyman.

    _______________________________________________________________

  16. You can optionally remove the /etc/cert.arm file.

    _______________________________________________________________

Parent topic: Using a gskkyman key database