Storing a CA Certificate

Before you can work with certificates, you must store a CA certificate.

If you attempt to store a certificate before the CA certificate is stored, you will receive the following error:

Error: The issuer of the key is not found.

Certificate authorities typically have Base64 encoded files to represent their certificates. This certificate must be saved to a file that is accessible by the gskkyman utility before any certificates are loaded into the system. Typically, this means you have to save the CA certificate as an HFS file.

See the following example of a CA certificate. 
-----BEGIN CERTIFICATE-----
MIICmTCCAgKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMCWkEx
IjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAbBgNVBAoTFFRo
YXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1QgVEVTVDEcMBoG
A1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw05NjA4MDEwMDAwMDBaFw0yMDEy
MzEyMTU5NTlaMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcg
UFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAV
BgNVBAsTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBS
b290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1fZBvjrOsfwzoZvrSlEH8
1TFhoRPebBZhLZDDE19mYuJ+ougb86EXieZ487dSxXKruBFJPSYttHoCin5qkc5k
BSz+/tZ4knXyRFBO3CmONEKCPfdu9D06y4yXmjHApfgGJfpA/kS+QbbiilNz7q2H
LArK3umk74zHKqUyThnkjwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBBAUAA4GBAIKM4+wZA/TvLItldL/hGf7exH8/ywvMupg+yAVM4h8uf+d8
phgBi7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4J
qrIgEhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIW
-----END CERTIFICATE-----

Procedure

  1. From the Key database menu, enter option 6 to store a CA certificate. 
     Key database menu                                                                                            
                                                                                                                         
Current key database is /u/ibmuser/key.kdb                                                                               
                                                                                                                         
1  - List/Manage keys and certificates                                                                              
2  - List/Manage request keys                                                                                       
3  - Create new key pair and certificate request                                                                    
4  - Receive a certificate issued for your request                                                                  
5  - Create a self-signed certificate                                                                               
6  - Store a CA certificate                                                                                         
7  - Show the default key                                                                                           
8  - Import keys                                                                                                    
9  - Export keys                                                                                                    
10  - List all trusted CAs                                                                                           
11  - Store encrypted database password                                                                              
                                                                                                                         
0  - Exit program
  2. Enter the file name where the certificate request is stored. 
    	Enter certificate file name or press ENTER for "cert.arm":
    If you do not enter a file name, the certificate is stored in the current working directory under the name cert.arm.
  3. Enter a label that describes the certificate.
    This label is not used within the platform server.
    A message is displayed indicating that the key manager is processing the request.

    Please wait while certificate is stored...

    When the request is completed, the following message is displayed. You can continue processing by entering 0, or terminate by entering 1.

    Your request has completed successfully, exit gskkyman? (1=yes, 0=no):

Result

At this point, you have successfully received the CA certificate and you can now receive certificates for this CA.