InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.2: Creating a certification request
To obtain a certificate from a certificate authority, you must
submit a certificate signing request (CSR). You can request either
production or test certificates from a CA with a CSR.
With iKeyman, generating a certificate signing request also generates
a private key for the server for which the certificate is being
requested. The private key remains in the server's keyring class,
so it stays private: the public key is included in the CSR.
To create a certificate signing request (CSR), complete the following
steps:
- Start the IBM Key Management tool. This displays the IBM
Key Management window.
java -Dkeyman.javaOnly=true com.ibm.gsk.ikeyman.Ikeyman
- Open a new key database file by selecting Key Database File
--> New from the menu bar.
- The New dialog box is displayed. Enter the name (including
the .class extension) and location of the file for your new key
database class. Files are typically named for the servers they belong
to.
- Click the OK button to continue.
- The Password Prompt dialog box is displayed. Enter a password to
restrict access to the key database. You will need to set the
keyring-password properties (e.g., com.ibm.CORBA.SSLKeyRingPassword
and com.ibm.CORBA.SSLClientKeyRingPassword) to this password so
that the keyring class can be opened by iKeyman during runtime.
Do not set an expiration date on the password or save the password
to a file. You must then reset the password when it expires or protect
the password file. This password is used only to release the
information stored by iKeyman during runtime.
- Click the OK button to continue.
- Locate the Key database content portion in the center of the main window
Select Key Database Content --> Personal Certificate Requests.
This updates the IBM Key Management window with any existing personal
certificate requests.
- Click the New... button.
- The Create New Key and Certificate Request dialog box is displayed.
Enter the necessary information to complete your request. The
information certificate authorities require varies; be sure to
determine the necessary fields and formats before sending your
request.
- Key Label
- Give the certificate a key label, which is used to uniquely
identify the certificate within the keyring. If you have only one
certificate in each keyring, you can assign any value to the label,
but it is good practice to use a unique label, related to the server
name.
- Common Name
- Enter the server's common name. This is the primary, universal
identity for the certificate; it should uniquely identify the
principal that it represents. In a WebSphere environment,
certificates frequently represent server principals, and the
common convention is to use CNs of the form
<host_name>/<server_name>.
- Organization
- Enter the name of your organization.
- Other X.500 fields
- Enter the organization unit (a department or division), location
(city), state/province (if applicable), zipcode (if applicable),
and select the two-letter identifier of the country in which the
server belongs.
- File name for the certificate request
- Enter the name of the file for the request. CSR files are typically
named for the server, with a .arm extension.
- Click the OK button.
- An Information panel is displayed to indicate that the
request file has been successfully created. Click the OK button
to dismiss the panel.
- Exit the Ikeyman tool by closing the IBM Key Management window.
You must now submit the certificate-request file to the CA. The
procedure will vary with the CA and with the type of certificate
(test or production) being requested.
|
|