Skip to main content
Now that you have configured the CA and KMIP TLS server certificates, you must use IBM Db2 to request a client certificate. Attempting to import an existing client certificate that you did not generate by using a CSR from IBM Db2 results in an error.

Create a CSR

Perform the following steps to create the local keystore and request a CSR for the client certificate:
1
On the server where you installed IBM Db2, create a working directory for your certificates in the C: drive (for example, C:\Certs).
2
Copy your root CA certificate into the folder.
3
Open a command line and run the following command to create the local key store:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -keydb -create -db C:\Certs\clientkeydb.p12 -pw safest -type pkcs12 -stash
Modify the command with your working folder directory, desired key store file name, and key store password.
4
Next, run the following command to import the root CA certificate into the local keystore:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -cert -add -db C:\Certs\clientkeydb.p12 -stashed -label Root -file C:\Certs\root.pem
5
After you have imported the root CA certificate into the local keystore, run the following command to generate the CSR for the IBM Db2 client certificate:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -certreq -create -db C:\Certs\clientkeydb.p12 -stashed -label ibmdb2 -dn "CN=ibmdb2" -target C:\Certs\clientcert.csr -size 2048 -sigalg SHA256
For future configuration, make note of the Label and Common Name of the client certificate. The name of the identity you create on the KMES must match the Common Name of the client certificate.
6
After generating the CSR for the IBM Db2 client certificate, use the configured storage medium to copy it to the KMES Series 3.

Sign the CSR

Perform the following steps to sign the IBM DB2 client certificate CSR:
1
Log in to the KMES Series 3 by using the default admin identities.
2
Go to PKI > Certificate Authorities and right-click the root CA certificate you created for this integration. Then, select Add Certificate > From Request.
3
Browse for the client CSR and select it.
Certificate details populate in the Import Certificate window.
4
On the Subject DN and Basic Info tabs, leave all settings set to the default values.
5
On the V3 Extensions tab, set the Profile to TLS Client Certificate and select [ OK ].
The IBM Db2 client certificate now displays in the certificate tree.

Export the client certificate

Perform the following steps to export the signed IBM DB2 client certificate:
1
Right-click the signed IBM Db2 client certificate and select Export > Certificate(s).
2
On the Export Certificate window, change the encoding to PEM, specify a name for the file, and select [ Browse ].
3
Browse to a location to save the certificate and select [ Open ].
4
Select [ OK ].
A message states that the file was successfully saved to the specified location.
5
Copy the client certificate to the working folder on the IBM Db2 server.