Create a certificate

Use the iKeyman utility to create a self-signed certificate and extract the certificate to make it available for secure communication.

The iKeyman utility is in the IBM Security Directory Server.

  1. Start the iKeyman utility. For example, enter the gsk7ikm command in the /usr/local/ibm/gsk7/bin directory

  2. If the iKeyman utility cannot locate Java™, run this command: export JAVA_HOME=opt/IBM/ldapv6.1/java/jre

  3. On the IBM Key Management page, select Key Database File > Open > New.

  4. Select a default database type of CMS.

  5. In the File Name field, type a name for the CMS key database file. For example, type: LDAPSERVER_TEST1234.kbd

    For example, the value specifies application_serverhostname where application is the directory server, and serverhostname is the computer that has the directory server.

  6. In the Location field, specify a location to store the key database file. For example, type /certs.

  7. Click OK.

  8. On the Password menu:

    1. Enter and then confirm a password, such as Pa$$word1.
    2. Specify the highest password strength possible.
    3. Specify Stash the password to a file?.

    4. Click OK.

  9. Select Create > New Self Signed Certificate and specify a label that matches the CMS key database file name, such as LDAPSERVER_TEST1234. This example uses the same name (LDAPSERVER_TEST1234) for both the certificate name and the key database file containing the certificate.

  10. Enter IBM in the Organization field, accept the remaining field default values, and click OK. A self-signed certificate, including public and private keys, now exists.
  11. For subsequent use with clients, extract the contents of the certificate into an ASCII Base-64 Encoded file. Complete these steps:

    1. Select Extract Certificate.
    2. Specify a data type of Binary DER Data.

      A file with an extension of .der contains binary data. This format can be used only for a single certificate. Specify this format to extract a self-signed certificate..

    3. Name of the certificate file name we created, such as LDAPSERVER_TEST1234.der.
    4. Specify a location, such as /certs, in which you previously stored the key database file

    5. Click OK.
  12. Verify that the /certs directory contains the following files:

    File Description
    LDAPSERVER_TEST1234.crl Not used in this example.
    LDAPSERVER_TEST1234.der The certificate.
    LDAPSERVER_TEST1234.kbd Key database file that has the certificate.
    LDAPSERVER_TEST1234.rdb Not used in this example.
    LDAPSERVER_TEST1234.sth Stash file that has the password
    If we use an existing or newly acquired certificate from a CA, copy it to the /certs directory on root file system of the directory server.

    Alternatively, we can use the WebSphere Application Server administrative console to create a self-signed certificate.

    1. Select Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ]. From Additional Properties, click Personal certificates.

    2. Click Create a self-signed certificate

See: