Requesting a certificate signed by a Certificate AuthorityAdded by IBM on November 23, 2011 | Version 1 (Original)
|To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA.
To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA.
Before you begin
The keystore that contains a personal certificate request must already exist. In WebSphere
® Application Server, the keystore file key.p12 exists.
Parent topic: Setting up SSL on a single server
Previous topic: Adding trust for certificate authorities used by external communities
Next topic: Importing any intermediate CA certificates into the keystore
Starting the Sametime System Console
- Log in to the Integrated Solutions Console.
- Click Security -> SSL certificate and key management -> Related items -> Key stores and certificates -> NodeDefaultKeyStore.
- Under "Additional Properties," click Personal certificate requests.
- Click New.
- In the File for certificate request field, type the full path where the certificate request is to be stored, plus a file name.
For example: c:\servercertreq.arm (for a Windows® machine).
- Type an alias name in the Key label field.
The alias is the name you use to identify the certificate request in the keystore.
For example: stgwcertificate
- Type a common name (CN) value.
The CN must be your external visible DNS address to which the external community (AOL for example) would be opening a TCP connection to. The CN valuedoes not have to be identical to any of the email domains associated with your community.
You should decide on the CN value in advance primarily by consulting your network administrator
- Type an organization name in the Organization field.
This value is the "organization" value in the certificate's distinguished name.
- In the Organization unit field, type the "organization unit" portion of the distinguished name.
- In the Locality field, type the "locality" portion of the distinguished name.
- In the State or Province field, type the "state" portion of the distinguished name.
- In the Zip Code field, type the "zip code" portion of the distinguished name.
- In the Country or region drop down list, select the two-letter "country code" portion of the distinguished name.
- Click Apply and Save.
The certificate request is created in the specified file location in the keystore. The request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore.
Note: Key store tools (such as iKeyman and keyTool) cannot receive signed certificates that are generated by certificate requests from WebSphere Application Server. Similarly, WebSphere Application Server cannot accept certificates that are generated by certificate requests from other keystore utilities.
- Send the certification request arm file to a Certificate Authority for signing.
- Stop the Sametime Gateway server.
- Make a backup copy of your keystore file. Make this backup before receiving the CA-signed certificate into the keystore. The default password for the keystore is WebAS. The Integrated Solutions Console has the path information for the keystore's location.
The path to the NodeDefaultKeyStore
is listed in the Integrated Solutions Console as:
- Start the Sametime® Gateway server.