In an earlier blog posting "How to Create A SHA2 Certificate Signing Request (CSR)" discussed that the IBM Sterling Certificate Wizard is incapable of generating a SHA2 CSR. Since there are any number of other methods for generating a CSR we'll look at one such way. The first step is to gather the necessary information to complete the CSR form. The resulting certificate will be populated with these values using a designation common to LDAP. The information required includes the fully-qualified domain name (FQDN) , City, State, Country, Key Size and Signing Algorithm. Some CA's may require additional data or optionally allow an Organization Name and Organizational Unit. To find your FQDN you can use the "ipconfig /all" command. The following screen shot shows the values to combine to identify a system's FQDN - here that value is danal.ibm.com
Using your preferred CSR tool (here I used the SSL Store, enter the values. NOTE: do not abbreviate the state as some CA's will not accept this. For the Key Size, when you choose the length of this key you need to take into consideration what your Trading Partners will be able to support. You may have to purchase multiple certificates in order to meet the needs of your Trading Partners. In this example, I've chosen the more common length of 2048-bits.
Finally, you will need to choose a Signature Algorithm. Once again, you will need to take into consideration the capabilities of your Trading Partners. As stated in the earlier blog posting, SHA2 (or as you see here, SHA-2 as it is sometimes abbreviated) is considered the industry standard today.
Once you've completed all the fields, you will generate your CSR. The results will then be saved into two separate files. For each certificate highlight everything between the Begin/End certificate and paste that into a text file.
Repeat this for the Private Key.
You will use the saved CSR to submit to the Certificate of Authority. In the example below, I copy/pasted the same Begin/End certificate into the request.
When the CA returns my signed certificate, the private key will come into play. Stay tuned for the next installment.