Example: Microsoft Certificate Store configuration file

This example file shows you how to create a server keystore and a server root certificate to use with a Rational® DOORS®, and how the Microsoft Certificate Store (MCS) can be set to validate the server certificate. The example file is followed by a breakdown of the commands and parameters.

Example file

REM Create a server keystore file
gsk8capicmd -keydb -create -db server.kdb -pw ser123 -stash

REM Create a server root certificate in server.kdb, and add it to the MCS
gsk8capicmd -cert -create -db server.kdb -pw ser123 -label "IBMEDCA1" -dn "CN=IBMEDCA1"
gsk8capicmd -cert -extract -db server.kdb -pw ser123 -label "IBMEDCA1" -target temp1.arm
gsk8capicmd -cert -add -db GSK_MS_CERTIFICATE_STORE -label "IBMEDCA1" -file temp1.arm

REM Create and sign a server certificate
gsk8capicmd -certreq -create -db server.kdb -label IBMSV1 -dn "CN=IBMEDSERV,dc=ukednode1" -file temp2.arm
gsk8capicmd -cert -sign -db server.kdb -pw ser123 -label IBMEDCA1 -file temp2.arm -target temp3.arm
gsk8capicmd -cert -receive -file temp3.arm -db server.kdb -pw ser123

REM Extract the root certificate from the MCS and add it to the server kdb file
gsk8capicmd -cert -extract -db GSK_MS_CERTIFICATE_STORE -label "CN=Coy Root" -target temp4.arm
gsk8capicmd -cert -add -db server.kdb -pw ser123 -label "CN=Coy Root" -file temp4.arm

Create a server keystore file

gsk8capicmd -keydb -create -db server.kdb -pw ser123 -stash
gsk8capicmd -keydb -create
The gsk8capicmd command is a tool to manage keys, certificates, and certificate requests in a key database. The syntax for gsk8capicmd is: gsk8capicmd modifiers object action options. In this example, -keydb is a key database object, -create is the action to take, and -db is the option. The command creates a key database.
-db server.kdb -pw ser123
The key database is called server.kdb with a password (-pwd). In this example, the password is ser123.
-stash
Stash the password for the key database after creation. A stash file is used as an automatic way of providing a password. When you access a key database, the system first checks for the existence of a stash file. If one exists, the contents of the file are decrypted and used as input for the password. When the -stash tag is specified during the create action, the password is stashed into a file that is named as follows: key_database_name.sth.

Create a root certificate in the keystore, and add it to the MCS

The root certificate is used to create a server certificate. Because the root certificate is in the MCS, Rational DOORS clients can validate the server certificate using the MCS.
gsk8capicmd -cert -create -db server.kdb -pw ser123 -label "IBMEDCA1" -dn "CN=IBMEDCA1"
-cert -create
This is the create certificate command (-create action and -cert object).
-label "IBMEDCA1"
A label is attached to the certificate. In this example, the name is "IBMEDCA1". The label is used to uniquely identify the certificate by a user.
-dn "CN=IBMEDCA1"
The -dn distinguished name uniquely identifies the certificate. The input must be a quoted string of the following format (only the CN is mandatory):
  • CN=common name
  • O=organization
  • OU=organization unit
  • L=location
  • ST=state, province
  • C=country
  • DC=domain component
  • EMAIL=email address
In this example, the distinguished name is "CN=IBMEDCA1".
gsk8capicmd -cert -extract -db server.kdb -pw ser123 -label "IBMEDCA1" -target temp1.arm
-cert -extract -label "IBMEDCA1"
This is the extract certificate command (-extract action and -cert object). The command extracts the named certificate data (-label"IBMEDCA1") from the key database and places it into a file.
-target temp1.arm
The file to which the certificate is to be extracted.
gsk8capicmd -cert -add -db GSK_MS_CERTIFICATE_STORE -label "IBMEDCA1" -file temp1.arm
-cert -add -db GSK_MS_CERTIFICATE_STORE
This is the add certificate command (-add action and -cert object). The command adds the certificate that was extracted (-label"IBMEDCA1" -file temp1.arm) to the MCS (-db GSK_MS_CERTIFICATE_STORE).

Create a server certificate that is signed with the root certificate

The server certificate is stored in the keystore. In the example, the distinguished name is written for a server that runs on a computer called IBMEDSERV.
gsk8capicmd -certreq -create -db server.kdb -label IBMSV1 -dn "CN=IBMEDSERV,dc=ukednode1" -file temp2.arm
-certreq -create
This is the create certificate request command (-create action and -certreq object).
-label IBMSV1
A label is attached to the certificate. In this example, the name is IBMSV1. The label is used to uniquely identify the certificate by a user. IBMSV1 is the default certificate name that is used by the Rational DOORS server if a name is not specified when the server starts.
-dn "CN=IBMEDSERV,dc=ukednode1"
The -dn distinguished name uniquely identifies the certificate. In this example, the distinguished name is "CN=IBMEDSERV,dc=ukednode1".
Note: The IBMEDSERV part of the distinguished name must either be the name of the server, or the value that is used for -serverhostname if that option is used when the server is started.
-file temp2.arm
The file name that the certificate request is extracted to during the certificate request creation process.
gsk8capicmd -cert -sign -db server.kdb -pw ser123 -label IBMEDCA1 -file temp2.arm -target temp3.arm
-cert -sign
This is the sign certificate command (-sign action and -cert object). The command allows the signing of a certificate request by an existing certificate that is stored within a key database. The command accepts a certificate request in a specified file format and details of the certificate that contains the private key to be used during the signing process.
-file temp2.arm
The name and location of the certificate request to be signed.
-target temp3.arm
The name of the file that will contains the signed certificate.
gsk8capicmd -cert -receive -file temp3.arm -db server.kdb -pw ser123
-cert -receive
This is the receive certificate command (-receive action and -cert object). The command stores a certificate that was requested to sign a certificate request. The file name of the certificate that is to be received.
-file temp3.arm
The file name of the certificate that is to be received.

Copy the root certificate for certificates from the MCS and add it to the server keystore

This part of the example allows the server to validate the certificates.
gsk8capicmd -cert -extract -db GSK_MS_CERTIFICATE_STORE -label "CN=Coy Root" -target temp4.arm
-cert -extract -db GSK_MS_CERTIFICATE_STORE -label -"CN=Coy Root" target temp4.arm
This is the extract certificate command (-extract action and -cert object). The command extracts the named certificate data (-label"CN=Coy Root") from the MCS database (-db GSK_MS_CERTIFICATE_STORE) and places it into a file (temp4.arm).
gsk8capicmd -cert -add -db server.kdb -pw ser123 -label "CN=Coy Root" -file temp4.arm
-cert -add -label "CN=Coy Root" -file temp4.arm
This is the add certificate command (-add action and -cert object). The command adds a certificate to the named keystore.
Note: In these commands, the root certificate name is CN=Coy Root. The root certificate that you use will have a longer name. Also, if your organization uses more than one root certificates, you must extract and add each root certificate individually. For example, one root certificate might apply to the cards used by 500 users, and another root certificate might apply to the remaining 2000 users. In this case, you must add both of these root certificates server.kdb.

Feedback