Creating Certificate Authority signed certificates

Read this page to learn the procedure to renew or generate CA signed certificate.

About this task

The process of obtaining a CA signed certificate requires the creation of a Certificate Signing Request (CSR) that must be provided to the Certificate Authority. The CA will return a signed certificate that then needs to be imported in the keystore.

To accomplish this procedure, you can use the IBM Key Management tool. This tool is provided with the Remote Control application and with IBM WebSphere Application Server.

Procedure

  1. Open a command line window.
  2. Go to the Remote Control Server installation directory.
  3. Change to the [installdir]\java\jre\bin subdirectory on a Windows™ system or the installdir]/java/jre/bin subdirectory on a Linux™ system.
  4. Run ikeyman.sh on a Linux™ system or ikeyman.exe on a Windows™ system.
  5. In the GUI window, select Key Database File > Open.
  6. Go to the directory where the keystore is located and open the existing keystore.
    To open the Server Default Keystore:
    1. The Keystore is in [installdir]/wlp/usr/servers/trcserver/resources/security directory, where [installdir] is the Remote Control Server installation directory.
    2. Select the file named key.jks.
    3. Click open.
    4. Enter the password TrCWebAS.
    To open another Keystore:
    Note: If you are running a Remote Control Server 10.0.0.0512 or earlier and if you want to generate the PKCS12 (.p12 or .pfx) using OpenSSL 3, you need to add the option -legacy to the command. For example: openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem -legacy.
    1. Select the directory where the keystore is located.
    2. Select the keystore file name and Type.
    3. Click open.
    4. Enter the password.
  7. Create a Certificate Signing Request
    1. Select Recreate Request
    2. Indicate the location where to save the certreq.arm file
    3. Press OK.
    4. A certreq.arm file is generated and saved to the location specified. This file must be sent to the certificate authority to be signed.

    The certreq.arm is a base-64 encoded ASCII representation of the certificate request. You may have to copy the content of this file and paste it in in your CA certificate sing interface where requested to provide the CSR.

  8. Receive the CA signed certificate.

    The CA may return the signed certificate in different formats.

    It can return a base-64 encoded ASCII representation of the certificate (with a .pem or .arm extension) or it may return the certificate in a PKCS7 format with a .p7b extension.

    Regardless of the format you must import the signed certificate as follow:
    1. When you receive the signed certificate, select Receive.
    2. Browse to your cert.arm signed file or your file.p7b file.
    3. Click OK.
  9. Save and overwrite the file. Enter the password when you are prompted.

Results

The .p12 (or .jks) file is updated with the signed certificate and with the root and intermediate certificate if present in the .p7b file.
Note: The key store contains the private key for the certificate, and this must be always kept secure. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a secure backup of the original keystore is also recommended.