Creating a server certificate

You can specify the self-signed certificate to be used as server communication certificate. Alternatively, you can create requests for certificates and manually send the request to a certificate authority (CA) for signing.

About this task

For example, you can use certificates to secure the communication between IBM® Security Key Lifecycle Manager and a tape library. The generated certificate request files reside in the <SKLM_HOME> directory. A sample certificate request file: C:\Program Files\IBM\WebSphere\AppServer\products\sklm\171029122037–sslcert001.csr.

Your role must have the permission to the configure action to create an SSL or KMIP certificate.

Before you begin, consider the following points:

  • Whether you can use self-signed certificates during a phase in your project such as a test phase.
  • The time interval that is needed to receive a CA-issued certificate after a request is sent. You must manually send a certificate request to the issuing authority.
  • Whether your site requires partner certificates for use with business partners, vendors, or for disaster recovery purposes.
  • The customary setting in days for a certificate validity interval.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface. Click IBM Security Key Lifecycle Manager > Configuration > SSL/KMIP.
    2. Select whether to generate a self-signed certificate, request a certificate from a third-party provider, or use an existing certificate from the keystore.
    3. Specify values for the required and optional fields, and click OK.
    Review and complete the steps under the Next steps section.
  • Using REST interface
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run Certificate Generate Request REST Service.
      Example 1: Create a self-signed certificate:
      POST https://localhost:<port>/SKLM/rest/v1/certificates
{"type":"selfsigned","alias":"sklmCertificate","cn":"sklm","ou":"sales",
"o":"myCompanyName","usage":"3592","country":"US","validity":"999", " 
algorithm ": " RSA "  }
      Example 2: Obtain a certificate from a certificate authority:
      POST https://localhost:<port>/SKLM/rest/v1/certificates
{"type":"certreq","alias":"sklmCert","cn":"sklm","ou":"sales","o":
"myCompanyName","usage":"3592","country":"US","validity":"999","fileName":
"myCertRequest1.crt","algorithm":"ECDSA"}
  • Using command-line interface
    1. Go to the <WAS_HOME>/bin directory.
      For example:
      Windows
      cd drive:\Program Files\IBM\WebSphere\AppServer\bin
      Linux
      cd /opt/IBM/WebSphere/AppServer/bin
    2. Start the wsadmin interface by using an authorized user ID, such as SKLMAdmin.
      For example,
      Windows
      wsadmin.bat -username SKLMAdmin -password mypwd -lang jython
      Linux
      ./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
    3. Run the tklmCertCreate command.
      Example 1: Create a self-signed certificate:
      print AdminTask.tklmCertCreate ('[-type selfsigned 
	-alias sklmSSLCertificate -cn sklmssl -ou accounting -o myCompanyName 
		 -country US -keyStoreName defaultKeyStore 
				-usage SSLSERVER -validity 999]')
      Example 2: Obtain a certificate from a certificate authority:
      print AdminTask.tklmCertGenRequest('[-alias sklmSSLCertificate1 
	-cn sklm -ou sales -o myCompanyName -locality myLocation 
		-country US -validity 999 -keyStoreName defaultKeyStore 
			-fileName mySSLCertRequest1.crt -usage SSLSERVER]')
    If you select a certificate request for a third-party provider, the certificate request file in .csr format is generated in the <SKLM_HOME> directory. For example, C:\Program Files\IBM\WebSphere\AppServer\products\sklm\171029122037–sslcert001.csr. Manually send the certificate request to a certificate authority. You must then import the signed certificate to IBM Security Key Lifecycle Manager. For the steps about how to send and import the certificate, see Scenario: To request for a third-party certificate.

What to do next

From the Welcome page, configure the drive types, keys, and certificates that your organization requires. See Administering.