Creating a self signed certificate
Read this page to learn the procedure to renew or generate self-signed certificates.
About this task
Procedure
- Open a command prompt window.
- Go to the Remote Control Server installation directory.
- Change to the [installdir]\java\jre\bin subdirectory on a Windows™ system or the [installdir]/java/jre/bin subdirectory on a Linux™ system.
-
Run
ikeyman.sh
on a Linux™ system orikeyman.exe
on a Windows™ system. - Select
- Select the database type. (Use PKCS12 for Broker Certificate. Use PKCS12 or JKS for the Server certificate)
- Click Browse, navigate to the location you want to store the keystore, type a filename for your file and click Save.
- Click OK.
- Enter and confirm a password to protect the keystore and click OK.
- Select
- Enter a name for the Key Label.
For example, the hostname of the broker.This is the name that will be displayed in the Personal Certificates list in the key management tool GUI.
- Select X509 V3 for the Version.
- Select a Key Size value.Recommended value is 2048.
-
Select a Signature Algorithm
This is a cryptographic algorithm for digital signatures and should be left as the default value SHA256WithRSA.
- Type a Common Name .Set to the DNS host name and domain of your broker.For example trcbroker.example.com
-
Type the Subject Alternate Name.
Most recent browsers use the Subject Alternate Name to validate the certificate in place of (or in addition to) the Common Name. Make sure you provide a matching subject alternate name. For example server.example.com.Note: Java based certificate tools (like ikeyman) do not support Subject Alternate Names with domain names that start with a number. For example, server.8xxx.com. In this case you need to use OpenSSL or another external tool to create the certificate.
- Enter any additional optional information as required.
- Enter a Validity Period.This is the number of days that the certificate will be valid for. Default is 365 days.
-
Click OK.
- Self-signed certificate
- If you plan to use the self-signed certificate, you need to extract the certificate at this point by performing the following steps. You can then copy and paste the content of this file where applicable.
- CA-Signed certificate
- If you plan to use CA Signed certificate, you need to create the CSR at this point
performing the following steps.
- Create a Certificate Signing Request
- Select Recreate Request
- Indicate the location where to save the certreq.arm file
- Press OK.
For more information to complete the CA singing process, see Creating Certificate Authority signed certificates.
- Create a Certificate Signing Request
Results
Note: The key store contains the private key for the certificate and this
must be kept secure at all times. It is recommended that the original copy of the keystore is
stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a
secure backup of the original keystore is also recommended.