Requesting a server certificate for IBM Key Manager on IBM i
Follow this procedure to create a certificate signed by your local certificate authority (CA), or to apply for a server certificate signed by a commercial CA for import into the IBM Key Management (iKeyman) utility.
A user certificate must be used when the Digital Certificate Manager (DCM) serves as the certificate manager for IBM MQ on multiple platforms. For personal certificates distributed to other platforms and for import into the iKeyman utility, perform the following steps in a Web browser:
Procedure
- Access the DCM interface, as described in Accessing DCM.
- In the navigation pane, click Create Certificate. The Create Certificate page is displayed in the task frame.
- On the Create Certificate panel, select the User certificate radio button and click Continue. The Create User Certificate page is displayed.
- On the Create User Certificate panel, complete the required fields under Certificate Information for Organization name, State or province, Country or region. Optionally, put values in the Organization unit and Locality or city fields. Click Continue. The Common name is automatically set to the user ID with which we are logged on to the iSeries system.
- On the next Create User Certificate panel, click Install certificate and click Continue. A message is displayed stating, Your personal certificate has been installed. We should keep a backup copy of this certificate.
- Click OK.
-
Depending on the internet browser we used to access DCM, do the following steps:
- For Microsoft Edge choose: Tools>Internet Options>Content tab>Certificates button>Personal tab>. Select the certificate and click Export.
- For Mozilla Firefox choose: Tools>Options>Advanced>Encryption tab>View Certificates button>Your Certificates tab>. Select the certificate and click Backup. Select the path and filename and click OK.
- Transfer the exported certificate to the remote system using FTP in binary format.
-
Add the exported certificate from step 7 to the iKeyman utility in the key database.
- If the certificate was saved using Microsoft Edge, use the instructions described in Importing from a Microsoft .pfx file.
- If the certificate was saved using Mozilla Firefox, use the instructions described in Importing a personal certificate into a key repository.
During the import, ensure that the label name of the personal certificate and the signer certificate are changed to what IBM MQ is expecting. The label must be either the value of the IBM MQ CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager appended, all in lowercase. See Digital certificate labels for details.
Parent topic: Work with SSL/TLS on IBM i