Steps for using a gskkyman key database
- From the UNIX shell, cd to /etc and
enter /usr/lpp/gskssl/bin/gskkyman.
_______________________________________________________________
- Choose option 1 to create a key database. Type in a name
or let it default to key .kdb and enter a password
you want to use. When asked "Work with the database now?", enter 1 for
yes.
_______________________________________________________________
- Choose option 3 to create new key pair and certificate
request. Answer the prompts for file name, label, key size (1024 is
suggested), and subject name fields.Note: Common Name should be your server's symbolic IP address (for example, www.YourCompany.com).
_______________________________________________________________
- Exit gskkyman when you are done.
_______________________________________________________________
- From TSO, use the OGET command to put the certificate request
in an MVS™ data set.Example:
OGET '/etc/certreq.arm' certreq.arm
_______________________________________________________________
- Use the RACDCERT command to read the request and generate the
server certificate.Example:
RACDCERT GENCERT(certreq.arm) ID(WEBSRV) SIGNWITH(CERTAUTH LABEL('Local PKI CA')) WITHLABEL('SSL Cert')
_______________________________________________________________
- Export both the new server certificate and the CA
certificate to MVS data sets,
and OPUT these to file system files. Example:
RACDCERT EXPORT(LABEL('SSL Cert')) ID(WEBSRV) DSN(cert.arm) FORMAT(CERTB64) OPUT cacert.der '/var/pkiserv/cacert.der' BINARY
_______________________________________________________________
- You can optionally delete both certificate TSO data sets (but
not the file system files).
_______________________________________________________________
- In the UNIX shell, cd to /etc and
invoke /usr/lpp/gskssl/bin/gskkyman.
_______________________________________________________________
- Choose option 2 to open the key database (created
earlier). Reply to the name and password prompts.
_______________________________________________________________
- Choose option 6 to store a CA certificate and
specify the '/var/pkiserv/cacert.der' file.
_______________________________________________________________
- When asked to "Exit gskkyman?", enter 0 for No.
_______________________________________________________________
- Choose option 4 to receive a certificate issued for your
request and specify the '/etc/cert.arm' file. Again
enter 0 when asked to "Exit gskkyman?".
_______________________________________________________________
- Choose option 11 to store encrypted database password.
_______________________________________________________________
- Exit gskkyman.
_______________________________________________________________
- You can optionally remove the /etc/cert.arm file.
_______________________________________________________________