InfoCenter Home >
5: Securing applications -- special topics >
5.5: Tools for managing keys >
5.5.6: Tools for managing certificates and keys >
5.5.6.2: The IBM Key Management tool >
5.5.6.2.2: Creating a certification request
To obtain a certificate from a certificate authority, you must
submit a certificate signing request (CSR). You can request either
production or test certificates from a CA with a CSR.
With iKeyman, generating a certificate signing request also generates
a private key for the server for which the certificate is being
requested. The private key remains in the server's keyring class,
so it stays private: the public key is included in the CSR.
To create a certificate signing request (CSR), complete the following
steps:
- Start the IBM Key Management tool. See article 5.5.6.2, The IBM Key Management tool,
for instructions. This displays the IBM
Key Management window.
- Open a new key database file by selecting Key Database File
--> New from the menu bar. The New dialog box is displayed.
- Set Key Database Type to JKS.
- Enter the name and location of the new key file.
- Click the OK button to continue. The Password Prompt
dialog box is displayed.
- Enter a password to
restrict access to the key database. In this example, the default
password is WebAS.
The server key store password is stored in the administrative console. The client trust store password is stored
in the sas.client.props file using the property com.ibm.ssl.trustStorePassword. You need to set the
key store-password properties to this password so
that the key store file can be opened by iKeyman during runtime.
See article 5.5.6.2.5, Making client and
server key store and trust store files accessible, for details.
Do not set an expiration date on the password or save the password
to a file. You must then reset the password when it expires or protect
the password file. This password is used only to release the
information stored by iKeyman during runtime.
- Click the OK button to continue.
- Locate the Key database content portion in the center of the main window
Select Key Database Content --> Personal Certificate Requests.
This updates the IBM Key Management window with any existing personal
certificate requests.
- Click the New... button.
- The Create New Key and Certificate Request dialog box is displayed.
Enter the necessary information to complete your request. The
information certificate authorities require varies; be sure to
determine the necessary fields and formats before sending your
request.
- Key Label
- Give the certificate a key label, which is used to uniquely
identify the certificate within the key store. If you have only one
certificate in each key sotre, you can assign any value to the label,
but it is good practice to use a unique label, related to the server
name.
- Common Name
- Enter the server's common name. This is the primary, universal
identity for the certificate; it should uniquely identify the
principal that it represents. In a WebSphere environment,
certificates frequently represent server principals, and the
common convention is to use CNs of the form
<host_name>/<server_name>.
- Organization
- Enter the name of your organization.
- Other X.500 fields
- Enter the organization unit (a department or division), location
(city), state/province (if applicable), zipcode (if applicable),
and select the two-letter identifier of the country in which the
server belongs.
- File name for the certificate request
- Enter the name of the file for the request. CSR files are typically
named for the server, with a .arm extension.
- Click the OK button.
- An Information panel is displayed to indicate that the
request file has been successfully created. Click the OK button
to dismiss the panel.
- Exit the Ikeyman tool by closing the IBM Key Management window.
You must now submit the certificate-request file to the CA. The
procedure will vary with the CA and with the type of certificate
(test or production) being requested.
|
|