InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.2: Creating a certification request

5.5.6.2.2: Creating a certification request

To obtain a certificate from a certificate authority, you must submit a certificate signing request (CSR). You can request either production or test certificates from a CA with a CSR.

With iKeyman, generating a certificate signing request also generates a private key for the server for which the certificate is being requested. The private key remains in the server's keyring class, so it stays private: the public key is included in the CSR.

To create a certificate signing request (CSR), complete the following steps:

  1. Start the IBM Key Management tool. This displays the IBM Key Management window.
    java -Dkeyman.javaOnly=true com.ibm.gsk.ikeyman.Ikeyman
    

  2. Open a new key database file by selecting Key Database File --> New from the menu bar.
  3. The New dialog box is displayed. Enter the name (including the .class extension) and location of the file for your new key database class. Files are typically named for the servers they belong to.
  4. Click the OK button to continue.
  5. The Password Prompt dialog box is displayed. Enter a password to restrict access to the key database. You will need to set the keyring-password properties (e.g., com.ibm.CORBA.SSLKeyRingPassword and com.ibm.CORBA.SSLClientKeyRingPassword) to this password so that the keyring class can be opened by iKeyman during runtime.

    Note   Do not set an expiration date on the password or save the password to a file. You must then reset the password when it expires or protect the password file. This password is used only to release the information stored by iKeyman during runtime.
  6. Click the OK button to continue.
  7. Locate the Key database content portion in the center of the main window Select Key Database Content --> Personal Certificate Requests. This updates the IBM Key Management window with any existing personal certificate requests.
  8. Click the New... button.
  9. The Create New Key and Certificate Request dialog box is displayed. Enter the necessary information to complete your request. The information certificate authorities require varies; be sure to determine the necessary fields and formats before sending your request.
    Key Label
    Give the certificate a key label, which is used to uniquely identify the certificate within the keyring. If you have only one certificate in each keyring, you can assign any value to the label, but it is good practice to use a unique label, related to the server name.
    Common Name
    Enter the server's common name. This is the primary, universal identity for the certificate; it should uniquely identify the principal that it represents. In a WebSphere environment, certificates frequently represent server principals, and the common convention is to use CNs of the form <host_name>/<server_name>.
    Organization
    Enter the name of your organization.
    Other X.500 fields
    Enter the organization unit (a department or division), location (city), state/province (if applicable), zipcode (if applicable), and select the two-letter identifier of the country in which the server belongs.
    File name for the certificate request
    Enter the name of the file for the request. CSR files are typically named for the server, with a .arm extension.
  10. Click the OK button.
  11. An Information panel is displayed to indicate that the request file has been successfully created. Click the OK button to dismiss the panel.
  12. Exit the Ikeyman tool by closing the IBM Key Management window.

You must now submit the certificate-request file to the CA. The procedure will vary with the CA and with the type of certificate (test or production) being requested.

Go to previous article: iKeyman: test certificates Go to next article: Placing a signed digital certificate into a keyring

 

 
Go to previous article: iKeyman: test certificates Go to next article: Placing a signed digital certificate into a keyring