Creating and sending a certificate signing request on a CORBA C++ client

Before you begin

If you want to create a request for a certificate authority (CA)-signed certificate from a key database file, you must have created the key database already. The request is issued against that key database and the certificate must be integrated into that database. For information about creating a key database, see Creating a key database for a CORBA C++ client.

Why and when to perform this task

Steps for this task

Use this procedure to create a Certificate Signing Request (CSR). This request is sent to a CA to get a signed certificate for a C++ client that uses SSL mutual certificate authentication. You only need to complete this procedure if you want to get a signed test or production certificate from a CA.

This procedure creates the CSR file in the $WAS_HOME\etc directory. It automatically creates a corresponding private key for the client that remains in your keyring file database. You do not transmit the certificate's private key to the CA, therefore the private key remains entirely in your possession at all times.

To create a Certificate Signing Request (CSR), complete the following steps:

  1. Start the IBM Key Management tool and use it to open the key database file or cryptographic token from which you want to create the certificate request. If you want to create a request from a key database file, complete the following steps:
    1. Start the IBM Key Management tool as described in Starting the IBM Key Management tool.
    2. Open the key database file (filename.kdb) for the client for which you want to request a CA-signed certificate. To open the key database file, either click Open a key database file or select Key Database File > Open from the menu bar. Type the name and location of the key database file at the prompt.
    3. Click OK. This opens the Password Prompt window.
    4. At the prompt, type the password that you specified when you created the CMS key database file.
    5. Click OK.
  2. Select Personal Certificate Requests from the pull-down under Key database content in the middle of the window. This updates the IBM Key Management window to list any existing personal certificate requests.
  3. Click New. The Create New Key and Certificate Request window is displayed.
  4. Fill in the following certificate attributes:
    Key Label
    The key label is used to uniquely identify the certificate within the key database file. For a CORBA C++ client, there typically is only one certificate in each key database file, so you can assign any label value. However, it is good practice to use a unique label, perhaps related to the server or client name.
    Key size
    Key size is the size of the key used to digitally sign and authenticate certificates. The default is 1024. For 128-bit cipher algorithms, the value can be either 512 or 1024. For 56-bit cypher algorithms, the value must be 512.
    Common Name
    This is the primary, universal identity for the certificate that uniquely identifies the principal that it represents.

    Note:

    • For some CAs, it is required that you include the fully qualified name of your host in the common name. For example, VeriSign does not sign your certificate unless the domain portion of the host name is owned by your organization. Also, some CAs have restrictions on the characters that you can use for the common name in a certificate signing request (CSR). For example, your CA might require that the common name be a fully qualified domain name without the characters ?*', ??', ?:', ' ' (space), or the strings ?http://? or ?:port number?. Check the format that your CA requires before continuing to complete your CSR.
    • Any slash character used after host_name in the common name must be a back-slash (\), even on Unix hosts.

      Organization
      This is the name of your organization.

      Note: Some Certificate Authorities (CAs) might require that you complete the "optional" fields in a certificate signing request (CSR) and that you completely spell out the state or province. Check with your intended CA for any such restrictions before continuing to complete your CSR. For example, your CA might require that the location, state/province, and zip code fields be completed for all organizations outside the US or Canada.

      Organization Unit
      (Optional) This is the name of your organization unit.
      Locality
      (Optional) This is the name of the location (city).
      State/Province
      (Optional) This is the name of the state/province.
      Zipcode
      (Optional) This is the zip code.
      Country
      This menu is the two-letter identifier of the country in which the server belongs.
      The name of the file in which to store the certificate request
      Type the full path name of the file in which you want to store the CSR. Typically, this is something like the following: Websphere_key_dir\common_name.arm, where: Websphere_key_dir is the WebSphere default keyrings directory (for example, $WAS_HOME\etc).
      common_name
      This is the common name of the client for which you are getting a certificate. The standard extension used for a file in which you want to store a CSR is .ARM.

    Results

    When you have filled in all of the required fields for the certificate, click OK. When the CSR file is created, you are notified and prompted to get the certificate signed.

    What to do next

    Send the file to a CA to request a new digital certificate, or cut and paste the request into the request forms of the CA's Web site. After the CA sends you a new CA-signed certificate, you need to add it to the key database from which you generated the request. Continue with the next step in the overview procedure article, Enabling SSL security between a CORBA C++ client and an EJB server.

    Related tasks
    Creating SSL certificates for a CORBA C++ client
    Creating a key database for a CORBA C++ client
    Starting the IBM Key Management tool
    Enabling SSL certificate security between a CORBA C++ client and an EJB server



    Searchable topic ID:   tcor_ssl9
    Last updated: Jun 21, 2007 8:07:48 PM CDT    WebSphere Business Integration Server Foundation, Version 5.0.2
    http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/corba/tasks/tcor_ssl9.html

    Library | Support | Terms of Use | Feedback