How to Create a Basic Self-Signed Certificate in Heritage Digital Certificate Manager (DCM)

Resolving The Problem

NOTE:  For instructions using the update Digital Certificate Manager for i interface, see the following documentation:

https://www.ibm.com/support/pages/node/6615149

Some applications require a simple self-signed certificate to use for encrypting communication. The steps in this document will help you accomplish that.

Note:
These steps require that you have already created a local certificate authority (CA) and the *SYSTEM certificate store. If you need to create your own local CA certificate and the *SYSTEM certificate store first, refer to the following documents:

o How to create the *SYSTEM store in DCM: https://www.ibm.com/support/pages/node/683429
o How to create the Local Certificate Authority (CA) store in DCM: https://www.ibm.com/support/pages/node/683413

This quick document assumes that you are already in Digital Certificate Manager and logged in to the *SYSTEM store, and that a local CA has already been created in Digital Certificate Manager.

The four basic steps to create your own certificate are as follows:

1. Select the option for creating a Server or Client certificate.
2. Select Local Certificate Authority as the option to sign the certificate.
3. Complete the certificate details.
4. Assign the certificate to the application(s).

Once these four steps are done, you should have your own self-signed certificate assigned to the application(s) you selected. The details of these steps are explained below:

• Step 1

  
  
  Click Create Certificate and select Server or client certificate, then click Continue:

  
   

• Step 2

  
  
  Verify that Local Certificate Authority is selected and click Continue:

  
   

• Step 3

  
  
  Choose your key size (2048 is the default recommended key size) and complete the required information. Below is a brief description of each required field and a screen capture of what was used in this example. Once these are filled in, click Continue at the bottom of the page.

  Certificate Authority (CA): Choose the CA that you would like to sign your certificate.

  Key algorithm: Choose either RSA or ECDSA (most common is RSA)

  Key Size: The default key size is 2048.
  
  Certificate label: This can be whatever you want, mixed case, numbers, letters, hyphens, etc. The only stipulation is that the name you add here must be unique (meaning no other certificates on this system can have the same certificate label).
  
  Organization name: Your business/organization name.
  
  State or province: Your state/province name. Note that this must be 3 characters or more. Two character state abbreviations will not work.
  
  Country or region: Your country/region. Note that this must be 2 characters only. Three characters will not fit.
  
  Subject Alternative Name: Do not fill this out. It is unnecessary for creating your certificate and has limited function.

  

• Step 4

  
  
  You should receive a message that states Your certificate was created and placed in the certificate store listed below.
  Now you need to select the application (or applications) you want to use this certificate for. Check any of the boxes that apply to your intended use.

  

  You can check the box for whichever application you wish to use the certificate for, this example shows the SMTP client and FTP server.
  
  
  
  After you have selected your desired application(s), click Replace at the bottom (Do not select 'Append' unless you are planning to assign an RSA and a ECDSA certificate to the application ID) and your certificate will be assigned. You should receive a message similar to the following:

  
  
  Click OK, and you are done. Note that most server applications require a restart after a certificate assignment has been changed. Telnet, the Host Servers, and FTP have code that allows them to pick up dynamic certificate changes under certain conditions.