InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.2: Creating a certification request

5.5.6.2.2: Creating a certification request

To obtain a certificate from a certificate authority, you must submit a certificate signing request (CSR). You can request either production or test certificates from a CA with a CSR.

With iKeyman, generating a certificate signing request also generates a private key for the server for which the certificate is being requested. The private key remains in the server's keyring class, so it stays private: the public key is included in the CSR.

To create a certificate signing request (CSR), complete the following steps:

  1. Start the IBM Key Management tool. See article 5.5.6.2, The IBM Key Management tool, for instructions. This displays the IBM Key Management window.
  2. Open a new key database file by selecting Key Database File --> New from the menu bar. The New dialog box is displayed.
  3. Set Key Database Type to JKS.
  4. Enter the name and location of the new key file.
  5. Click the OK button to continue. The Password Prompt dialog box is displayed.
  6. Enter a password to restrict access to the key database. In this example, the default password is WebAS.
    The server key store password is stored in the administrative console. The client trust store password is stored in the sas.client.props file using the property com.ibm.ssl.trustStorePassword. You need to set the key store-password properties to this password so that the key store file can be opened by iKeyman during runtime. See article 5.5.6.2.5, Making client and server key store and trust store files accessible, for details.

    Note   Do not set an expiration date on the password or save the password to a file. You must then reset the password when it expires or protect the password file. This password is used only to release the information stored by iKeyman during runtime.
  7. Click the OK button to continue.
  8. Locate the Key database content portion in the center of the main window Select Key Database Content --> Personal Certificate Requests. This updates the IBM Key Management window with any existing personal certificate requests.
  9. Click the New... button.
  10. The Create New Key and Certificate Request dialog box is displayed. Enter the necessary information to complete your request. The information certificate authorities require varies; be sure to determine the necessary fields and formats before sending your request.
    Key Label
    Give the certificate a key label, which is used to uniquely identify the certificate within the key store. If you have only one certificate in each key sotre, you can assign any value to the label, but it is good practice to use a unique label, related to the server name.
    Common Name
    Enter the server's common name. This is the primary, universal identity for the certificate; it should uniquely identify the principal that it represents. In a WebSphere environment, certificates frequently represent server principals, and the common convention is to use CNs of the form <host_name>/<server_name>.
    Organization
    Enter the name of your organization.
    Other X.500 fields
    Enter the organization unit (a department or division), location (city), state/province (if applicable), zipcode (if applicable), and select the two-letter identifier of the country in which the server belongs.
    File name for the certificate request
    Enter the name of the file for the request. CSR files are typically named for the server, with a .arm extension.
  11. Click the OK button.
  12. An Information panel is displayed to indicate that the request file has been successfully created. Click the OK button to dismiss the panel.
  13. Exit the Ikeyman tool by closing the IBM Key Management window.

You must now submit the certificate-request file to the CA. The procedure will vary with the CA and with the type of certificate (test or production) being requested.

Go to previous article: iKeyman: Creating a client trust store Go to next article: Placing a signed digital certificate into a key store file

 

 
Go to previous article: iKeyman: Creating a client trust store Go to next article: Placing a signed digital certificate into a key store file