When you receive a certificate from a CA, install it in your server's key database file and remove any hidden characters it contains (such as line-feed characters). To add a certificate, use the keyadmincommand.
Adding certificates with DNs that are different from the key generation DN
You can add certificates that have DNs that are different from the DN used during key generation. A typical case where this occurs is when a DN is changed by an issuing CA.
When you add such a certificate for the first time, the iTP Secure WebServer creates a file called newdn.txt(in the root directory) that contains the new DN. If you add any certificates subsequently that have DNs that are different from those used during key generation or those added previously to the key database file, those certificates' DNs are appended to thenewdn.txtfile. After the newdn.txtfile is created, the "newdn is" message provides the DN that is to be used in all keyadmincommands that require a DN and for the AcceptSecureTransportdirective. For information about theAcceptSecureTransportdirective, See“AcceptSecureTransport” (page 200).
A samplenewdn.txtfile is:
DN used at the time of keygeneration is: CN=hima.lab201.tandem.com, OU=datakomhw, O=tandem, L=cupertino, ST=california, C=US
New DN in the certificate to be added is: CN=hima.lab201.tandem.com, SN=297-68-2381, OU=a-sign.datakom.at, OU=a-sign Server Light Demo CA, O=Datakom Austria GmbH, C=AT
Use the new DN for all your commands requiring a DN for this certificate.
You can enter the arguments in any order. Enter the entire command on a single command line. If a continuation character is necessary, you must use the backslash (\) character as shown. bin/keyadmin -keydb keydb -addcert cert-recv-file \
[-force] [-root] [-verbose]
NOTE: Thebin/prefix indicates the directory that contains the keyadmin utility; the default is thebindirectory.
The command arguments have these functions: -keydb keydb
specifies the name of the key database file in which the key pair you created is stored. -addcert cert-recv-file
specifies the name of the encoded file containing your new certificate as received from your CA. -force
specifies that a renewal of an older certificate should occur, but that the check for a valid start date should not be performed.
-root
treats the certificate as a root. -verbose
specifies that complete information associated with the command string should be displayed. A sample command is:
bin/keyadmin -keydb conf/mykeys -addcert my-cert.txt
This command ensures that the certificate is valid by checking that the public key it contains matches the public key associated with the same DN in the database. Then the certificate is inserted in the database.
Update the KeyDatabase, ServerPassword, andAcceptSecureTransportconfiguration directives in the server's configuration file, if you have not done so already, and restart the server.
Responses are delivered in PKCS #7 message format. However, you can add items to the database in any of these formats:
• A message in PKCS #7 format • A raw RADIX-64 encoded certificate
“Sample Certificate in RADIX-64 Format” (page 60)shows an example of a certificate is in the RADIX-64 format:
Table 2 Sample Certificate in RADIX-64 Format
---BEGIN CERTIFICATE--- MIICPzCCAekCEAS/HreKrbhGuo00vaEFPcgwDQYJKoZIhvcNAQEEBQAwgakxFjAU BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTk3MDgwNjAwMDAwMFoXDTk3MDgyMDIz NTk1OVowgZsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYD VQQHFAlDdXBlcnRpbm8xHzAdBgNVBAoUFlRhbmRlbSBDb21wdXRlcnMsIEluYy4x ITAfBgNVBAsUGFRlc3QgYW5kIEV2YWx1YXRpb24gT25seTEfMB0GA1UEAxQWaElN QS5sYWIyMDEudGFuZGVtLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCm17LN l/GG+UYvlnWujFau+PXWF6WAMlsG1MfPk5fWsl7kXw862TKzMHGNBaRzTBbcONOW PFv4NMBZYVZAWux9AgMBAAEwDQYJKoZIhvcNAQEEBQADQQB9gqo61uzQEd9YZ2vn dVYd4FH7+1YSGOAmqUJ6yPbv52vmLvXJjZ8b6ENVL7cYvZ55RVhYBKhenCFIu2mu Cbuk ---END CERTIFICATE---
Deleting a Certificate
To delete a certificate and key pair from the server's key database file, use thekeyadmincommand. You can enter the arguments in any order. Enter the entire command on a single command line. If a continuation character is necessary, you must use the backslash (\) character as shown; the backslash is not permitted to break the DN value across lines.
bin/keyadmin -keydb keydb -delete -dn 'dn' [-root] [-verbose]
NOTE: Thebin/prefix indicates the directory that contains the keyadmin utility; the default is thebindirectory.
This command deletes from the certificate database all information associated with the specified DN.
The command arguments have these functions: -keydb keydb
specifies the name of the key database file in which the key pair you created is stored.
-delete
specifies that a certificate and key pair should be deleted from the server's key database file.
-dn 'dn'
specifies the full DN for the new key pair. Enclose this DN with apostrophes (') to protect it from being interpreted by the shell.
Make sure to include the same field values entered on the CA request form and in the exact order that the CA specifies. Also, enclose any value containing a comma with quotation marks (").
Thekeyadmincommand accepts these characters in the DN field: A-Z a-z 0-9 (space) ' ( ) + , - . / :=? #
-verbose
specifies that complete information associated with the command string should be displayed.