Top Secret cannot generate a certificate with Extended Key Usage metadata.
Use a 3rd party certificate utility like gskkyman or keytools to generate a certificate with Extended Key Usage metadata, then import into Top Secret with the following TSS commands:
- To import the 3rd party generated client certificate into Top Secret:
TSS ADD(CERTSITE) DIGICERT(digicertname) DCDSN(datasetname) PKCSPASS(password)
- If the CA/root certificate was not included in your client's certificate dataset and in a different dataset, use the following command to add it to Top Secret:
TSS ADD(CERTAUTH) DIGICERT(digicertname) DCDSN(datasetname)
Note: Repeat this step if there are intermediate root certificates.
- Create keyring if it doesn’t already exist. Skip this step, if it does.
TSS ADD(acid) KEYRING(8-char-keyringname) LABLRING(upto-255-char-(keyring_label_name)
- Add client certificate to keyring:
TSS ADD(acid) KEYRING(8-char-keyringname) RINGDATA(CERTSITE,digicertname) USAGE(PERSONAL) DEFAULT
- Add CA/root certificates to the keyring:
TSS ADD(acid) KEYRING(8-char-keyringname) RINGDATA(CERTAUTH,digicertname) USAGE(CERTAUTH)
Note: II there is more than one CA/root, repeat step for other CA/roots.