Before you begin
If you want to create a request for a certificate authority (CA)-signed
certificate from a key database file, you must have created the key database
already. The request is issued against that key database and the certificate
must be integrated into that database. For information about creating a key
database, see
Creating
a key database for a CORBA C++ client.
Why and when to perform this task
Steps for this task
Use this procedure to create a Certificate
Signing Request (CSR). This request is sent to a CA to get a signed certificate
for a C++ client that uses SSL mutual certificate authentication. You only
need to complete this procedure if you want to get a signed test or production
certificate from a CA.
This procedure creates the CSR file in the $WAS_HOME\etc
directory. It automatically creates a corresponding private key for the client
that remains in your keyring file database. You do not transmit the certificate's
private key to the CA, therefore the private key remains entirely in your
possession at all times.
To create a Certificate Signing Request (CSR),
complete the following steps:
- Start the IBM Key Management tool and use it to open the key database
file or cryptographic token from which you want to create the certificate
request. If you want to create a request from a key database file, complete
the following steps:
- Start the IBM Key Management tool as described in Starting the IBM Key Management tool.
- Open the key database file (filename.kdb) for the client for which you
want to request a CA-signed certificate. To open the key database file, either
click Open a key database file or select Key Database File > Open from
the menu bar. Type the name and location of the key database file at the prompt.
- Click OK. This opens the Password Prompt window.
- At the prompt, type the password that you specified when you created the
CMS key database file.
- Click OK.
- Select Personal Certificate Requests from the pull-down under Key
database content in the middle of the window. This updates the IBM Key
Management window to list any existing personal certificate requests.
- Click New. The Create New Key and Certificate Request window
is displayed.
- Fill in the following certificate attributes:
- Key Label
- The key label is used to uniquely identify the certificate within the
key database file. For a CORBA C++ client, there typically is only one certificate
in each key database file, so you can assign any label value. However, it
is good practice to use a unique label, perhaps related to the server or client
name.
- Key size
- Key size is the size of the key used to digitally sign and authenticate
certificates. The default is 1024. For 128-bit cipher algorithms, the value
can be either 512 or 1024. For 56-bit cypher algorithms, the value must be
512.
- Common Name
- This is the primary, universal identity for the certificate that uniquely
identifies the principal that it represents.
Note:
- For some CAs, it is required that you include the fully qualified name
of your host in the common name. For example, VeriSign does not sign your
certificate unless the domain portion of the host name is owned by your organization.
Also, some CAs have restrictions on the characters that you can use for the
common name in a certificate signing request (CSR). For example, your CA might
require that the common name be a fully qualified domain name without the
characters ?*', ??', ?:', ' ' (space), or the strings ?http://? or ?:port
number?. Check the format that your CA requires before continuing to complete
your CSR.
- Any slash character used after host_name in the common name must be a
back-slash (\), even on Unix hosts.
- Organization
- This is the name of your organization.
Note: Some Certificate
Authorities (CAs) might require that you complete the "optional" fields in
a certificate signing request (CSR) and that you completely spell out the
state or province. Check with your intended CA for any such restrictions
before continuing to complete your CSR. For example, your CA might require
that the location, state/province, and zip code fields be completed for all
organizations outside the US or Canada.
- Organization Unit
- (Optional) This is the name of your organization unit.
- Locality
- (Optional) This is the name of the location (city).
- State/Province
- (Optional) This is the name of the state/province.
- Zipcode
- (Optional) This is the zip code.
- Country
- This menu is the two-letter identifier of the country in which the server
belongs.
- The name of the file in which to store the certificate request
- Type the full path name of the file in which you want to store the CSR.
Typically, this is something like the following: Websphere_key_dir\common_name.arm,
where: Websphere_key_dir is the WebSphere default keyrings directory (for
example, $WAS_HOME\etc).
- common_name
- This is the common name of the client for which you are getting a certificate.
The standard extension used for a file in which you want to store a CSR is
.ARM.
Results
When you have filled in all of the required fields for the certificate,
click
OK. When the CSR file is created, you are notified and prompted
to get the certificate signed.
What to do next
Send the file to a CA to request a new digital certificate, or cut
and paste the request into the request forms of the CA's Web site. After the
CA sends you a new CA-signed certificate, you need to add it to the key database
from which you generated the request. Continue with the next step in the overview
procedure article,
Enabling SSL security between a CORBA C++ client
and an EJB server.