InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.1: Creating a self-signed test certificate
For test purposes, you can create a self-signed certificate
specifically for a server and its Secure Sockets Layer (SSL) based
Java clients. You can also set up a temporary certificate
authority by creating a self-signed certificate and using it to sign
other certificates.
This procedure is useful when the WebSphere test certificate has
expired, or if you want a self-signed test certificate that
specifically recognizes your server. If you need a test certificate
that has been signed by a Certificate Authority (CA), follow the
procedure in article 5.5.6.2.2, Creating a
certification request.
To create your own self-signed test certificate, complete the following
steps:
- Start the IBM Key Management tool. This displays the IBM
Key Management window.
java -Dkeyman.javaOnly=true com.ibm.gsk.ikeyman.Ikeyman
- Open a new key database file by selecting Key Database File
--> New from the menu bar. The New dialog box is displayed.
- Enter the name (including
the .class extension) and location of the file for your new key
database class. Files are typically named for the servers they belong
to.
- Click the OK button to continue.
- The Password Prompt dialog box is displayed. Enter a password to
restrict access to the key database. You will need to set the
keyring-password properties (e.g., com.ibm.CORBA.SSLKeyRingPassword
and com.ibm.CORBA.SSLClientKeyRingPassword) to this password so
that the keyring class can be opened by iKeyman during runtime.
Do not set an expiration date on the password or save the password
to a file. You must then reset the password when it expires or protect
the password file. This password is used only to release the
information stored by iKeyman during runtime.
- Click the OK button to continue.
- The tool now displays all of the available default signer certificates.
You can add, view or delete signer certificates from this screen.
To continue creating a self-signed certificate, either click the
New Self-Signed... button on the tool bar or select
Create --> New Self-Signed Certificate... from the menu bar.
- The Create New Self-Signed Certificate form is displayed. Enter
the appropriate information for your self-signed certificate.
- Key Label
- Give the certificate a key label, which is used to uniquely
identify the certificate within the keyring. If you have only one
certificate in each keyring, you can assign any value to the
label, but it is good practice to use a unique label, related
to the server name.
- Common Name
- Enter the server's common name. This is the primary, universal
identity for the certificate; it should uniquely identify the
principal that it represents. In a WebSphere environment,
certificates frequently represent server principals, and
the common convention is to use CNs of the form
<host_name>/<server_name>.
- Organization
- Enter the name of your organization.
- Other X.500 fields
- Enter the organization unit (a department or division), location
(city), state/province (if applicable), zipcode (if applicable),
and select the two-letter identifier of the country in which the
server belongs.
For a self-signed certificate, these fields are optional.
Commercial CAs may require them.
- Validity period
- Specify the lifetime of the certificate, in days, or accept the
default.
- Click the OK button to continue. The resulting key database class
contains a self-signed certificate and its private key, and the
class can be used for both a server and a client. You must copy
the keyring file to the designated directory on the server's host.
If you have only one personal certificate, it will be set
as the default certificate for the database. If you have more
than one, you must select one as the default certificate.
You can change the default certificate as follows:
- Highlight the certificate
- Click the View/Edit... button
- Check the box on the resulting screen to make the
chosen certificate the default
- Click the OK button
-
- Exit the Ikeyman tool by closing the IBM Key Management window.
|
|