Generate Certificates with Extended Key Usage Extension
search cancel

Generate Certificates with Extended Key Usage Extension

book

Article ID: 248368

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Alert Central requires the keypair certificate to have Extended Key Usage Extension with Client Authentication flag.

Is there a way to add such extension to a private key certificate via Top Secret?

Environment

Release : 16.0

Component :

Resolution

Top Secret cannot generate a certificate with Extended Key Usage Extension.

The certificate can be generated externally with an external certificate utility that supports generating certificates with Extended Key Usage Extensions and the Client Authentication Flag, then add the certificate to the Top Secret security file.

1. Generate keypair certificate

TSS GENCERT(CERTSITE) DIGICERT(ABCCERTU)
 SUBJECTN('CN="ABCCERTU"
 O="Broadcom Inc." L="Pittsburgh" ST="PA" C="US"')
   KEYSIZE(2048) KEYUSAGE(HANDSHAKE)
   LABLCERT('ABC Certificate')
   ALTNAME('DOMAIN=ABCCERT.COM')

2. Generate Certificate Signing Request

TSS GENREQ(CERTSITE) DIGICERT(ABCCERTU) DCDSN('ABCCERTU.CERT')

3. Download the certificate to a file (Windows ftp)
3A. connect to ftp
ftp ftpsite.companya.com
3B. Authenticate
3C. If on VPN switch to passive mode:
pass
3D. Switch to ASCII transfer
ascii
3E. download the file:
get 'ABCUCERTS.CERT'

4. Submit the certificate to be signed by certificate authority


5. Download the certificate files from the authority.


6. If on windows make sure to replace CRLF (\r\n) linendings with only LF (\n) , otherwise you will be getting invalid certificate format error.

7. Upload the signed certificate file (Windows ftp)
7A. connect to ftp
ftp ftpsite.companya.com
7B. Authenticate
7C. If on VPN switch to passive mode:
pass
7D. Switch to ASCII transfer
ascii
7E. upload the signed certificate file (name the file the same as the dataset !including those single quotes!):
put 'ABCCERTS.CERT"

8. Add Certificate to user acid (TSS)

TSS ADD(ABCSRVR) DIGICERT(ABCCERTS) LABLCERT(ABCCERTS) DCDSN('ABCCERTS.CERT') TRUST

9. Creatate keyring 

TSS ADD(ABCSRVR) KEYRING(ABCRING)

9. Add certificate to the keyring

TSS ADD(ABCSRVR) KEYRING(ABCRING) RINGDATA(ABCSRVR,ABCCERTU) USAGE(PERSONAL) DEFAULT

10. Add permitions to STC

TSS PERMIT(ABCPROC) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(READ)
TSS PERMIT(ABCPROC) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)