Before you begin
If you want to create a self-signed certificate for a key database
file, you must have created the key database file. Later, you can extract
the certificate and add it to a target server's truststore file. For more
information about creating key database files, see
Creating a key database for a CORBA
C++ client.
Why and when to perform this task
When you are developing a production application, you might not
want to purchase a true digital certificate until after you are done testing
the product. With the IBM Key Management tool, you can create a self-signed
digital certificate to use until testing is complete. A self-signed digital
certificate is a temporary digital certificate you issue to yourself,
with yourself as the CA.
Note: Do not release a production application
with a self-signed test certificate; no browser or server will be able to
recognize or communicate with your client.
To create a self-signed
test certificate in a key database file, follow these steps:
- Start the IBM Key Management tool as described in Starting the IBM Key Management tool.
The IBM Key Management window is displayed.
- Open the key database file (filename.kdb) for the client for which you
want to request a self-signed certificate. To open the key database file,
either click Open a key database file on the tool bar or select Key
Database File > Open from the menu bar. Type the name and location of
the key database file at the prompt.
- Click OK. The Password Prompt window is displayed.
- At the prompt, type the password that you specified when you created the
CMS key database file.
- Click OK. The IBM Key Management tool displays all of the default
signer certificates. You can add, view or delete signer certificates from
this screen.
- To continue creating a self-signed test certificate, either click Create
a new self-signed certificate on the tool bar or select Create > New
Self-Signed Certificate from the menu bar. The Create New Self-Signed
Certificate window is displayed.
- Fill in the following certificate attributes, including the name of your
client as the distinguished name. You can leave other attributes with their
default values.
- Key Label
- The key label is used to uniquely identify the certificate within the
key database file. For the CORBA C++ client, there typically is only one certificate
in each key database file, so you can assign any label value. However, it
is good practice to use a unique label, perhaps related to the client name.
- Version
- The version of the RSA cipher algorithm is used to digitally sign and
authenticate certificates. Select the default version X509 V3.
- Key size
- Key size is the size of the key used to digitally sign and authenticate
certificates. The default is 1024. For 128-bit cipher algorithms, the value
can be either 512 or 1024. For 56-bit cypher algorithms, the value must be
512.
- Common Name
- The common name is the primary, universal identity for the certificate.
It must uniquely identify the principal that it represents.
- Organization
- This is the name of your organization.
- Organization Unit
- (Optional) This is the name of your organization unit.
- Locality
- (Optional) This is the name of the location (city).
- State/Province
- (Optional) This is the name of the state/province.
- Zipcode
- (Optional) This is the zip code.
- Country
- This menu is the two-letter identifier of the country in which the server
belongs.
- Validity period
- The default validity period of 365 days is typically used. Otherwise,
specify the number of days that the certificate is valid.
- Click OK. The IBM Key Management window is displayed. The Personal
Certificates field shows the name of the self-signed digital certificate
you created.
Note: If you have only one personal certificate,
it is set as the default certificate for the database. If you have more than
one personal certificate, choose which one is the default certificate. You
can change the default certificate by first highlighting the certificate and
then selecting View/Edit. Then, select the checkbox at the bottom of
the screen to set this certificate as the default.