Creating a certificate signing request

To get a certificate that is signed by a third party, you must create a certificate signing request (CSR) to send to the CA.

Before you begin

The truststore file of the Operations Center is a container for SSL/TLS certificates that the Operations Center can access. The truststore file contains the certificate that the Operations Center uses for HTTPS communication with web browsers.

During the installation of the Operations Center, you create a password for the truststore file. To work with the truststore file, you must know the truststore password. If you do not remember this password, follow the instructions in Deleting and reassigning the password for the Operations Center truststore file.

Procedure

To create a CSR, complete the following steps:

  1. From the command line, change the directory to the keystore location:
    Linux operating systemsAIX operating systemsinstallation_dir/ui/Liberty/usr/servers/guiServer
    Windows operating systemsinstallation_dir\ui\Liberty\usr\servers\guiServer
  2. Create a certificate request by using the ikeyman command or the ikeycmd command. The ikeyman command opens the IBM Key Management graphical user interface, and ikeycmd is a command-line interface.
    Tip: You might have to specify the full path to the ikeyman or ikeycmd command. The commands are located in the following directory, where installation_dir represents the directory in which the Operations Center is installed:

    Linux operating systemsAIX operating systemsinstallation_dir/ui/jre/bin

    Windows operating systemsinstallation_dir\ui\jre\bin

    • To create a certificate request by using the ikeyman graphical user interface, complete the following steps:
      1. Open the IBM Key Management tool by issuing the following command:
        ikeyman
      2. Click Key Database File > Open.
        The image shows the IBM Key Management interface. The Open a key database file button is highlighted.

        In the Open window, click Browse to open the directory and select the gui-truststore.jks file. Click OK.

        The image shows the Open dialog box that displays the Key database type drop-down menu, the File Name field, and the Location field.
      3. Create a certificate request. In the Key database content area, click New.
        The image shows the IBM Key Management interface. The screen shows the New button highlighted. When you click the New button, you create a new certificate request.
      4. In the Create New Key and Certificate Request dialog box, complete the fields as required by the CA and your organization. Specify the following information:
        Key Label
        Specify a unique label for the certificate in the truststore file. The label name, for example, usr-cert-name, identifies the certificate in the truststore.
        Key Size
        Select a key size of at least 2048 bits.
        Signature Algorithm
        Select SHA256WithRSA.
        Common Name
        Specify the fully qualified domain name (FQDN) of the system on the network where the Operations Center is installed.
        Remember: The FQDN for the system on your network is used in the URL for the Operations Center on your system. The URL is used by a web browser to access the Operations Center.
        Enter the name of a file in which to store the certificate request
        Specify a file that is named certreq.csr in the guiServer directory.
        The image shows the Create New Key and Certificate Request window and the different fields and drop-down menus that must be populated to create a new certificate request.
      5. Close the Open window.
    • To create a certificate request by using the ikeycmd command, issue the following command:
      ikeycmd -certreq -create -db gui-truststore.jks -size 2048 
-sig_alg SHA256WithRSA -dn "CN=myhost.example.com" -file certreq.csr -label usr-cert-name
-san_dnsname myhost.example.com,myhost 
-san_ipaddr 192.0.2.1,192.0.2.2
      where:
      -dn "CN=myhost.example.com"
      Specifies the distinguished name. Input as a quoted string that contains the specification CN=myhost.example.com, where myhost.example.com specifies the FQDN of the system on the network where the Operations Center is installed.
      Remember: The FQDN for the system on your network is used in the URL for the Operations Center on your system. The URL is used by a web browser to access the Operations Center.
      -label usr-cert-name
      Specifies a unique label, usr-cert-name, for the certificate in the truststore file.
      -san_dnsname myhost.example.com,myhost (Optional)
      Specifies the domain name server (DNS) names of the system where the Operations Center is installed. The CN and dnsname are typically the same value.
      -san_ipaddr 192.0.2.1,192.0.2.2 (Optional)
      Specifies the IP address of the system where the Operations Center is installed.