You find key pairs and certificate requests stored in a
key database. This section provides information on how to create a
key pair and certificate request.
Before you begin
There are GSKit certificate support limitations that you
should remember as you create a new key pair and certificate request:
- You cannot use IKEYMAN to create certificates with key sizes that
are larger than 4096 bits.
- You can import certificates with key sizes up to 4096 bits into
the key database.
About this task
To create a public and private key pair and certificate
request, complete the following steps:
Procedure
- If you have not created the key database, see Creating a new key database for instructions.
- Start the IKEYMAN user interface.
- Click Key Database File from the main user interface,
then click Open.
- Enter your key database name in the Open dialog box, or
click the key.kdb file, if you use the default. Click OK.
- In the Password Prompt dialog box, enter your correct password
and click OK.
- Click Create from the main user interface, then
click New Certificate Request.
- In the New Key and Certificate Request dialog box, complete
the following information:
- Key label: Enter a descriptive comment to identify the key and
certificate in the database.
- Key size: Choose your level of encryptions from the drop-down
menu.
- Organization Name: Enter your organization name.
- Organization Unit
- Locality
- State/Province
- Zip code
- Country: Enter a country code. Specify at least two characters.
Example: US Certificate request file name, or use the default name.
A checksum of the certificate request is cryptographically
signed with the new private key, and contains a copy of the new public
key. The public key can then be used by a certificate authority to
validate that the certificate signing request (CSR) has not been tampered
with. Some certificate authorities might require that the checksum
that is signed by the public key be calculated with a stronger algorithm
such as SHA-1 or SHA-2 (SHA-256, SHA-384, SHA-256).
This checksum
is a the "Signature Algorithm" of the CSR
Subject Alternate
Name (SAN) extensions are fields in a certificate request that inform
SSL Clients of alternate hostnames that correspond to the signed certificate.
Normal certificates (issued without a wildcard string in their Distinguished
Name) are only valid for a single hostname. For example, a certificate
created for example.com is not valid on www.example.com unless a Subject
Alternate Name of "www.example.com" is added to the certificate.
A certificate authority may charge an additional fee if your certificate
contains 1 or more SAN extensions.
- Click OK.
- Click OK in the Information dialog box. A reminder
to send the file to a certificate authority displays.
- Optional: On UNIX-based platforms, remove the
end of line characters (^M) from the certificate request.
To
remove the end of line characters, type the following command:
cat certreq.arm |tr -d "\r" > new_certreq.arm
- Send the file to the certificate authority (CA) following
the instructions from the CA Web site for requesting a new certificate.