Create a certificate authority and certificate for testing on IBM i

Use this procedure to create a local CA certificate to sign certificate requests, and to create and install the CA certificate.


Before starting

The instructions in this topic assume that a local certificate authority (CA) does not exist. If a local CA does exist, go to Requesting a server certificate on IBM i.


About this task

The CA certificates that are provided when you install TLS are signed by the issuing CA. On IBM i, we can generate a local certificate authority that can sign server certificates for testing TLS communications on the system. Follow these steps in a Web browser to create a local CA certificate:


Procedure

  1. Access the DCM interface, as described in Accessing DCM.
  2. In the navigation panel, click Create a Certificate Authority. The Create a Certificate Authority page is displayed in the task frame.
  3. Type a password in the Certificate store password field and type it again in the Confirm password field.
  4. Type a name in the Certificate Authority (CA) name field, for example TLS Test Certificate Authority.
  5. Type appropriate values in the Common Name and Organization fields, and select a country. For the remaining optional fields, type the values you require.
  6. Type a validity period for the local CA in the Validity period field. The default value is 1095 days.
  7. Click Continue. The CA is created, and DCM creates a certificate store and a CA certificate for the local CA.
  8. Click Install certificate. The download manager dialog box is displayed.
  9. Type the full path name for the temporary file in which we want to store the CA certificate and click Save.
  10. When download is complete, click Open. The Certificate window is displayed.
  11. Click Install certificate. The Certificate Import wizard is displayed.
  12. Click Next.
  13. Select Automatically select the certificate store based on the type of certificate and click Next.
  14. Click Finish. A confirmation window is displayed.
  15. Click OK.
  16. In the Certificate window, click OK.
  17. Click Continue. The Certificate Authority Policy page is displayed in the task frame.
  18. In the Allow creation of user certificates field, select Yes.
  19. In the Validity period field, type the validity period of certificates that are issued by your local CA. The default value is 365 days.
  20. Click Continue. The Create a Certificate in New Certificate Store page is displayed in the task frame.
  21. Check that none of the applications are selected.
  22. Click Continue to complete the setup of the local CA.

Parent topic: Work with SSL/TLS on IBM i