You can use the IBM Global Security Kit (GSKit) command gsk8capicmd_64
to extract a self-signed
certificate to a Base64-encoded certificate file. You can then distribute this file to your Db2
client computers, for establishing secure TLS connections to your Db2 server.
About this task
While Db2 supports many Base64 encoded certificate file formats (for example, *.pem, *.arm,
*.cer, *.crt) the examples in this group of topics refers to the .crt file type.
Procedure
-
Extract your self-signed certificate by running the following IBM Global Security Kit (GSKit) command:
gsk8capicmd_64 -cert -extract -db server.p12 -stashed -label <myselfsigned> -target <myselfsigned.crt> -format ascii
where
myselfsigned is the label assigned to the certificate, and
myselfsigned.crt is the certificate file name.
Note: Always use the
-extract option for moving certificates to a certificate file for nodes in your
network, and not the -export option. Using the -export option
moves the private key from your keystore into the certificate file, making it visible to your
network.
- Save the extracted certificate in a convenient location and distribute it to each client
that needs to connect to the Db2 server.
What to do next
When you have distributed your self-signed certificate to your Db2 clients, you are ready
to configure TLS support on your Db2
server.