Create self-signed personal certificates

A self-signed personal certificate is a temporary digital certificate you issue to yourself, acting as the certificate authority (CA). Creating a self-signed certificate creates a private key and a public key within the key database file. The self-signed certificate is created in a keystore file and it is useful when you develop and test your application. You can also create a self-signed personal certificate from your cryptographic token device.


Before you begin

If you want to create a self-signed certificate for a keystore, you must have already created the keystore file. (Refer to Creating a keystore file for more information.) You can later extract the public key and add the key as a signer certificate to other truststore files.

Read the documentation in the file for further information about how to create a self-signed personal certificate within a key database file.



  1. Start the key management utility, if it is not already running.

  2. Click Key Database file > Open to select an existing file, or click Key Database file > New to select a new file. Select "CMS" for Key database type, select "key.kdb" for file name, and enter a directory for the file location.

  3. Click New Self-Signed from the tool bar or click Create > New Self-Signed Certificate.

  4. Select the X509 version and the key size that suits your application.

  5. Enter the appropriate information for your self-signed certificate:

    Key Label

    Give the certificate a key label, which is used to uniquely identify the certificate within the keystore file. If you have only one certificate in each keystore file, one can assign any value to the label. However, it is good practice to use a unique label related to the server name.

    Common Name

    Enter the common name. This name is the primary, universal identity for the certificate; it should uniquely identify the principal that it represents. In a WebSphere environment, certificates frequently represent server principals, and the common convention is to use common names of the form host_name and servername. The common name must be valid in the configured user registry for the secured WebSphere environment.


    Enter the name of your organization.

    Optional fields

    Enter the organization unit (a department or division), location (city), state and province (if applicable), zip code (if applicable), and select the two-letter identifier of the country in which the server belongs. For a self-signed certificate, these fields are optional. However, commercial CAs might require them.

    Validity period

    Specify the lifetime of the certificate in days, or accept the default.

  6. Click OK.



Your key database file now contains a self-signed personal certificate.


What to do next

Create a self-signed test certificate for testing purposes. If you need a test certificate signed by a certificate authority, follow the procedure in Creating a certification request.


See Also

Secure Sockets Layer
Digital certificates


Related Tasks

Creating truststore files
Extracting public certificates for truststore files




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.