Adding the root of an unknown CA to CustomizedCAs.p12

First, extract the CA's root certificate or a self-signed certificate from the HODServerKeyDb.kdb key database file. To do this for Windows, for example, enter the following command:

java com.ibm.gsk.ikeyman.ikeycmd -cert -extract

-db your_install_directory\bin\HODServerKeyDb.kdb

-pw <password> -label <label> -target cert.arm -format ascii

where your_install_directory is your Host On-Demand installation directory.

• -label : Label attached to the certificate.
• -pw: password to open HODServerKeyDb.kdb key database file.
• -target : Destination file or database. In this case, it is the name of the Base-64 Armored ASCII format file with a default file name of cert.arm.
• -format: Can be either ASCII or Binary.

Now, add this CA root certificate to the CustomizedCAs.p12 file. To add a CA root certificate or a self-signed certificate to the list of signers in CustomizedCAs.p12, enter the following command:

java com.ibm.gsk.ikeyman.ikeycmd -cert -add

-db CustomizedCAs.p12 -pw hod -label <label>

-file cert.arm -format ascii -trust <enable | disable>

For older clients, to add this CA root certificate to the CustomizedCAs.class file, enter the following command:

java com.ibm.gsk.ikeyman.ikeycmd -cert -add

-db CustomizedCAs.class -label <label>

-file cert.arm -format ascii -trust <enable | disable>

For older clients, you need to convert the CustomizedCAs.p12 file to CustomizedCAs.class file for download or cached clients by entering the following command. The command appears on three lines, but you should type it on one line.

..\hod_jre\jre\bin\java -cp ..\lib\sm.zip; 
com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT
CustomizedCAs.p12 hod CustomizedCAs.class