InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate

5.5.6.2.1: Creating a self-signed test certificate

For test purposes, you can create a self-signed certificate specifically for a server and its Secure Sockets Layer (SSL) based Java clients. You can also set up a temporary certificate authority by creating a self-signed certificate and using it to sign other certificates.

This procedure is useful when the WebSphere test certificate has expired, or if you want a self-signed test certificate that specifically recognizes your server. If you need a test certificate that has been signed by a Certificate Authority (CA), follow the procedure in article 5.5.6.2.2, Creating a certification request.

To create your own self-signed test certificate, complete the following steps:

  1. Start the IBM Key Management tool. This displays the IBM Key Management window.
    java -Dkeyman.javaOnly=true com.ibm.gsk.ikeyman.Ikeyman
    

  2. Open a new key database file by selecting Key Database File --> New from the menu bar. The New dialog box is displayed.
  3. Enter the name (including the .class extension) and location of the file for your new key database class. Files are typically named for the servers they belong to.
  4. Click the OK button to continue.
  5. The Password Prompt dialog box is displayed. Enter a password to restrict access to the key database. You will need to set the keyring-password properties (e.g., com.ibm.CORBA.SSLKeyRingPassword and com.ibm.CORBA.SSLClientKeyRingPassword) to this password so that the keyring class can be opened by iKeyman during runtime.

    Note   Do not set an expiration date on the password or save the password to a file. You must then reset the password when it expires or protect the password file. This password is used only to release the information stored by iKeyman during runtime.
  6. Click the OK button to continue.
  7. The tool now displays all of the available default signer certificates. You can add, view or delete signer certificates from this screen. To continue creating a self-signed certificate, either click the New Self-Signed... button on the tool bar or select Create --> New Self-Signed Certificate... from the menu bar.
  8. The Create New Self-Signed Certificate form is displayed. Enter the appropriate information for your self-signed certificate.
    Key Label
    Give the certificate a key label, which is used to uniquely identify the certificate within the keyring. If you have only one certificate in each keyring, you can assign any value to the label, but it is good practice to use a unique label, related to the server name.
    Common Name
    Enter the server's common name. This is the primary, universal identity for the certificate; it should uniquely identify the principal that it represents. In a WebSphere environment, certificates frequently represent server principals, and the common convention is to use CNs of the form <host_name>/<server_name>.
    Organization
    Enter the name of your organization.
    Other X.500 fields
    Enter the organization unit (a department or division), location (city), state/province (if applicable), zipcode (if applicable), and select the two-letter identifier of the country in which the server belongs.
    For a self-signed certificate, these fields are optional. Commercial CAs may require them.
    Validity period
    Specify the lifetime of the certificate, in days, or accept the default.
  9. Click the OK button to continue. The resulting key database class contains a self-signed certificate and its private key, and the class can be used for both a server and a client. You must copy the keyring file to the designated directory on the server's host.
    Note   If you have only one personal certificate, it will be set as the default certificate for the database. If you have more than one, you must select one as the default certificate. You can change the default certificate as follows:
    1. Highlight the certificate
    2. Click the View/Edit... button
    3. Check the box on the resulting screen to make the chosen certificate the default
    4. Click the OK button
  10. Exit the Ikeyman tool by closing the IBM Key Management window.
Go to previous article: The iKeyman tool Go to next article: iKeyman: Certification requests

 

 
Go to previous article: The iKeyman tool Go to next article: iKeyman: Certification requests