Converting the Sample Certificates

This topic describes the actions and options that can be specified to the makesysssl script.
xdtz12
This topic describes the actions and options that can be specified to the makesysssl script.
The Sample Certificate Conversion Script
A sample certificate conversion script makesysssl is provided in the sysssl directory of the USS file system. During the installation of CA XCOM, the makesysssl script converts the sample OpenSSL certificates (PEM files). The makeca, makeclient, and makeserver scripts generate the certificates to PKCS12 certificate files. The makesysssl script then imports the converted PKCS12 certificate files into a sample System SSL certificate database.
The makeca, makeclient, makesysssl, and makeserver scripts are run manually after installation. The scripts convert the generated sample certificates for use by System SSL.
The makesysssl script can be used to convert PEM certificate files and corresponding PEM key files to PKCS12 certificate files. The PKCS12 certificate file can then be imported to a System SSL certificate database using the IBM gskkyman utility. The utility is described in the
IBM Cryptographic Services System Secure Sockets Layer Programming
guide.
Important! The certificates that the makeca, makeclient, and makeserver scripts generate are for testing purposes only. The makeca script generates a self-signed certificate that the makeclient and the makeserver scripts use to sign certificates. While using self-signed certificates makes testing easier, they are not intended for production use.
makesysssl Syntax
To run the makesysssl script, change to the sysssl directory and issue the command:
./makesysssl [action] [options... ]
[action]
-all
Convert the CA certificate that makeca generates. The client certificate that makeclient generates and the server certificate that makeserver generates to PKCS12 certificates. Then import them into the System SSL certificate database. This action is the default.
-ca
Convert the CA certificate that makeca generates to a PKCS12 certificate then import it into the System SSL certificate database.
-client
Convert the client certificate that makeclient generates to a PKCS12 certificate then import it into the System SSL certificate database.
-help
Display a short summary of the available options.
-pkcs12
Convert a PEM certificate file and PEM key file to a PKCS12 certificate.
-server
Convert the server certificate that makeserver generates to a PKCS12 certificate then import it into the System SSL certificate database.
[options...]
One or more of the following options can be specified when the action is - all, -ca, -client, or - server:
-calabel x
This option specifies the label to use when importing the CA certificate to the System SSL certificate database.
-capass x
This option specifies the key password for the CA certificate. The key password is maintained when importing the CA certificate to the System SSL certificate database.
Default:
casecret
-clientlabel x
This option specifies the label to use when importing the client certificate to the System SSL certificate database.
Default:
clientcert
-clientpass x
This option specifies the key password for the client certificate. The key password is maintained when importing the client certificate to the System SSL certificate database.
-gsknlspath x
This option specifies the NLSPATH for the IBM gskkyman utility.
Default:
/usr/lpp/gskssl/lib/nls/msg/%L/%N
-gskpath x
This option specifies the PATH for the IBM gskkyman utility.
Default:
/usr/lpp/gskssl/bin
-gsksteplib x
This option specifies the STEPLIB for the IBM gskkyman utility.
Default:
SYS1.SIEALNKE
-k x
This option specifies the name of the System SSL certificate database.
Default:
./database/xcomcerts.kdb
-kpass x
This option specifies the password for the System SSL certificate database.
-indir x
This option specifies the path of the CA XCOM Data Transport ssl directory.
Default:
../ssl
-outdir x
This option specifies the directory for temporary PKCS12 files.
Default:
./pkcs12
-serverlabel x
This option specifies the label to use when importing the server certificate to the System SSL certificate database.
Default:
servercert
-serverpass x
This option specifies the key password for the server certificate. The key password is maintained when importing the server certificate to the System SSL certificate database.
One or more of the following options can be specified when the action is - pkcs12:
-pkcs12in x
This option specifies the certificate PEM file to be converted.
Default:
None
-pkcs12inkey x
This option specifies the PEM key file to be converted.
Default:
None
-pkcs12out x
This option specifies the PKCS12 certificate file that receives the convert certificate.
Default:
None
-pkcs12pass x
This option specifies the key password for the PEM key file to be converted. The key password is maintained in the PKCS12 certificate file.
Sample System SSL Certificate Database
System SSL uses a certificate database to store the certificates. During the installation of CA XCOM a sample System SSL certificate database, xcomcerts.kdb, is created in the sysssl/database directory.
The sample System SSL certificate database can be maintained using the IBM gskkyman utility. This utility is described in the
IBM Cryptographic Services System Secure Sockets Layer Programming
guide.
Important! The sample System SSL certificate database that was created during installation is for testing purposes only. The database is not intended for production use. The sample certificate database has a password with no expiration date. Also, the xcomcerts.kdb file has been set as readable to everyone.