Installing a trusted root authority certificate

To use SSL, you must obtain a trusted root authority certificate (CA) from an organization that validates digital certificates used in online transactions. A certificate is validated by a hierarchy of CAs that approve the certificate. The ultimate CA in the chain is the trusted root certificate authority.

Before You Begin

Obtain a trusted root certificate from a certificate signing authority (CSA). Guidelines are as follows:

• Select a public or private CSA and determine how it issues certificates before you begin using this product.
• Use the public key of the CSA when requesting the certificate for this product.
• The digital certificate of the CSA can be used to authenticate certificates that are validated by that CA.
• SSL certificates must be in the X.509 PEM (Privacy-Enhanced Mail) format. If your certificate is in another format, convert it to X.509 PEM format. For example, to convert a Microsoft certificate to an X.509 PEM certificate, use the Microsoft INETSDK tools.

To install a trusted root authority certificate:

1. In the sslcmd menu, select option 2 Add CA.
2. Enter the full path and file name of the CA certificate.

   The CA certificate is installed in the key database, and a verification message similar to this one is displayed.

   -----BEGIN CERTIFICATE-----

   MIICSDCCAfKgAwIBAgIQLMQ4SxAAEo8R0uLgqRaB1DANBgkqhkiG9w0BAQQFADCB

   hTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRAwDgYDVQQHEwdIb3VzdG9u

   MRUwEwYDVQQKEwxCTUMgU29mdHdhcmUxDzANBgNVBAsTBldFQkRFVjEsMCoGA1UE

   AxMjV1dXUUEgVGVzdGluZyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTkwMzI1

   MTg0NDE0WhcNMDQwMzI1MTg0NDE0WjCBhTELMAkGA1UEBhMCVVMxDjAMBgNVBAgT

   BVRleGFzMRAwDgYDVQQHEwdIb3VzdG9uMRUwEwYDVQQKEwxCTUMgU29mdHdhcmUx

   DzANBgNVBAsTBldFQkRFVjEsMCoGA1UEAxMjV1dXUUEgVGVzdGluZyBDZXJ0aWZp

   Y2F0ZSBBdXRob3JpdHkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAlRjFdJsiLN82

   7lSwm7vcby/CdkGt5oE6GRSNlU/tfyEKGR4bzs1M+WO0SVemtOewcV2YiTzWgAr+

   nEc0y+qGjQIDAQABozwwOjALBgNVHQ8EBAMCAMQwDAYDVR0TBAUwAwEB/zAdBgNV

   HQ4EFgQUnwn4N+0AnUpVkzFTgHuhQuAElCUwDQYJKoZIhvcNAQEEBQADQQBr/i2j

   ArvbTJfmeTld8bzsPlakDZbmL7Hcud4etJezq4XNSwlDZ5LuqfX7ACBrfs53R9BY

   ecwZM0M3sfKuAoRT

   -----END CERTIFICATE-----

   WWWQA Testing Certificate Authority

   Command Add CA successful

   Enter to proceed

3. In the sslcmd menu, select option 8 List CA to list the certificates that are in the SSL key database.
4. Verify that the installed certificate appears in the resulting list, which must resemble the following output:

   ***CA number 1, Label Compiled Trusted Root

   Subject Distinguished Name:

   OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US

   ***CA number 2, Label Compiled Trusted Root

   Subject Distinguished Name:

   OU=Commercial Certification Authority,O="RSA Data Security, Inc.",C=US

   ***CA number 3, Label Compiled Trusted Root

   Subject Distinguished Name:

   OU=Secure Server Certification Authority,O="RSA Data Security, Inc.",C=US

   ***CA number 4, Label Compiled Trusted Root

   Subject Distinguished Name:

   OU=Secure Server Certification Authority,O="RSA Data Security, Inc.",C=US

   Command List CA successful