Creating a self signed certificate

Read this page to learn the procedure to renew or generate self-signed certificates.

About this task

To generate the certificate for a broker you can use the Java keytool command. This tool is provided with the Remote Control application and with IBM WebSphere Application Server. These instructions are valid for Remote Control Server version 10.1 FP5 and above:
  1. From the [server_installation]/jre/bin folder launch the following command where CERTPASS is the password of the certificate and HNAME is the hostname of the computer.

    keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -sigalg SHA384withRSA -keystore newkey.p12 -storepass "%CERTPASS%" -keypass "%CERTPASS%" -dname "CN=%HNAME%" -validity 365

If you plan to use a CA-signed certificate, you must first generate a Certificate Signing Request (CSR). This process requires an existing private key in your keystore. Follow these steps to create the request using keytool:
  1. Generate the Certificate Signing Request (CSR):

    From the [server_installation]/jre/bin folder, run the following command. Replace CERTPASS with your keystore password and FILENAME with your preferred output path (for example, certreq.arm or certreq.csr).

    keytool -certreq -alias default -file FILENAME -keystore newkey.p12 -storepass "%CERTPASS%" -keypass "%CERTPASS%"
  2. Submit the request:

    The command generates a file (for example, certreq.arm) in the location you specified. This file contains your public key and identity information and must be sent to your Certificate Authority (CA) to be signed.

  3. Next steps:

    Once the CA returns the signed certificates (usually the server certificate plus the root/intermediate CA certificates), you will need to import them back into the newkey.p12 keystore.
    For more information on how to import the signed certificates and complete the process, see Creating Certificate Authority signed certificates.

    Note: The key store contains the private key for the certificate and this must be kept secure at all times. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a secure backup of the original keystore is also recommended.

Please note that the following instructions only apply to Remote Control Server version 10.1.0.0442 and lower.

Procedure

  1. Open a command prompt window.
  2. Go to the Remote Control Server installation directory.
  3. Change to the [installdir]\java\jre\bin subdirectory on a Windows™ system or the [installdir]/java/jre/bin subdirectory on a Linux™ system.
  4. Run ikeyman.sh on a Linux™ system or ikeyman.exe on a Windows™ system.
  5. Select Key Database File > New.
  6. Select the database type. (Use PKCS12 for Broker Certificate. Use PKCS12 or JKS for the Server certificate)
  7. Click Browse, navigate to the location you want to store the keystore, type a filename for your file and click Save.
  8. Click OK.
  9. Enter and confirm a password to protect the keystore and click OK.
  10. Select Create > New Self-Signed Certificate.
  11. Enter a name for the Key Label.
    For example, the hostname of the broker.
    This is the name that will be displayed in the Personal Certificates list in the key management tool GUI.
  12. Select X509 V3 for the Version.
  13. Select a Key Size value.
    Recommended value is 2048.
  14. Select a Signature Algorithm
    This is a cryptographic algorithm for digital signatures and should be left as the default value SHA256WithRSA.
  15. Type a Common Name.
    Set to the DNS host name and domain of your broker.
    For example trcbroker.example.com
  16. Type the Subject Alternate Name.
    Most recent browsers use the Subject Alternate Name to validate the certificate in place of (or in addition to) the Common Name. Make sure you provide a matching subject alternate name. For example server.example.com.
    Note: Java based certificate tools (like ikeyman) do not support Subject Alternate Names with domain names that start with a number. For example, server.8xxx.com. In this case you need to use OpenSSL or another external tool to create the certificate.
  17. Enter any additional optional information as required.
  18. Enter a Validity Period.
    This is the number of days that the certificate will be valid for. Default is 365 days.
  19. Click OK.
    Self-signed certificate
    If you plan to use the self-signed certificate, you need to extract the certificate at this point by performing the following steps. You can then copy and paste the content of this file where applicable.
    1. Click Extract Certificate.
    2. Use the default Data type Base64-encoded ASCII data.
    3. Enter a file name and location for saving the certificate file to.
    4. Click OK.
    CA-Signed certificate
    If you plan to use CA Signed certificate, you need to create the CSR at this point performing the following steps.
    1. Create a Certificate Signing Request
      1. Select Recreate Request.
      2. Indicate the location where to save the certreq.arm file.
      3. Press OK.
      A certreq.arm file is generated and saved to the location specified. This file must be sent to the certificate authority to be signed.

      For more information to complete the CA singing process, see Creating Certificate Authority signed certificates.

Results

The .p12 (or .jks) file is created with the name and selected location chosen.
Note: The key store contains the private key for the certificate and this must be kept secure at all times. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a secure backup of the original keystore is also recommended.