To get a certificate that is signed by a third party, you must create a certificate
signing request (CSR) to send to the CA.
Before you begin
The truststore file of the Operations Center is a container
for SSL/TLS certificates that the Operations Center can
access. The truststore file contains the certificate that the Operations Center uses for HTTPS communication with web browsers.
During the installation of the Operations Center, you
create a password for the truststore file. To work with the truststore file, you must know the
truststore password. If you do not remember this password, follow the instructions in Deleting and reassigning the password for the Operations Center truststore file.
Procedure
To create a CSR, complete the following steps:
-
From the command line, change the directory to the keystore location:
![Linux operating systems](nglinux.gif)
installation_dir/ui/Liberty/usr/servers/guiServer
installation_dir\ui\Liberty\usr\servers\guiServer
- Create a certificate request by using the ikeyman
command or the ikeycmd command. The ikeyman command opens the
IBM Key Management graphical user interface, and ikeycmd is a command-line
interface.
Tip: You might have to specify the full path to the
ikeyman or
ikeycmd command. The commands are located in the following directory, where
installation_dir represents the directory in which the
Operations Center is installed:
![Linux operating systems](nglinux.gif)
installation_dir/ui/jre/bin
installation_dir\ui\jre\bin
- To create a certificate request by using the ikeyman
graphical user interface, complete the following steps:
- Open the IBM Key Management tool by issuing the following
command:
ikeyman
- Click .
In the Open window, click Browse to open the
directory and select the gui-truststore.jks file. Click
OK.
- Create a certificate request. In the Key database content area, click
New.
- In the Create New Key and Certificate Request dialog box, complete the fields as required by the
CA and your organization. Specify the following information:
- Key Label
- Specify a unique label for the certificate in the truststore file. The label name, for example,
usr-cert-name, identifies the certificate in the truststore.
- Key Size
- Select a key size of at least 2048 bits.
- Signature Algorithm
- Select SHA256WithRSA.
- Common Name
- Specify the fully qualified domain name (FQDN) of the system on the network where the Operations Center is installed.
Remember: The FQDN for the
system on your network is used in the URL for the Operations Center on your system. The URL is used by a web browser to
access the Operations Center.
- Enter the name of a file in which to store the certificate request
- Specify a file that is named certreq.csr in the
guiServer directory.
- Close the Open window.
- To create a certificate request by using the ikeycmd command, issue the
following
command:
ikeycmd -certreq -create -db gui-truststore.jks -size 2048
-sig_alg SHA256WithRSA -dn "CN=myhost.example.com" -file certreq.csr -label usr-cert-name
-san_dnsname myhost.example.com,myhost
-san_ipaddr 192.0.2.1,192.0.2.2
where:
- -dn "CN=myhost.example.com"
- Specifies the distinguished name. Input as a quoted string that contains the specification
CN=myhost.example.com, where myhost.example.com specifies the
FQDN of the system on the network where the Operations Center
is installed.
Remember: The FQDN for the system on your network is used in the URL for
the Operations Center on your system. The URL is used by a web
browser to access the Operations Center.
- -label usr-cert-name
- Specifies a unique label, usr-cert-name, for the certificate in the
truststore file.
- -san_dnsname myhost.example.com,myhost (Optional)
- Specifies the domain name server (DNS) names of the system where the Operations Center is installed. The CN and
dnsname are typically the same value.
- -san_ipaddr 192.0.2.1,192.0.2.2 (Optional)
- Specifies the IP address of the system where the Operations Center is installed.