Create the certificate signing request (CSR) files

To obtain a certificate from a certificate authority (CA), you must generate the certificate signing request (CSR) files for the crypto key from the Cognos® Analytics keystore. The CA uses this file to produce a crypto certificate, and a CA certificate that you import into your keystore.

Before you begin

On UNIX or Linux operating systems, ensure that you set a JAVA_HOME environment variable before you use the ThirdPartyCertificateTool.

On Microsoft Windows installations, you can run the tool with the -java:local command to use the JRE that is provided with the installation, as shown in the following example: ThirdPartyCertificateTool.bat -java:local -c -d ...

About this task

If you changed the Key store password in IBM® Cognos Configuration, under Cryptography > Cognos, use the new password as the keystore_password when running the ThirdPartyCertificateTool commands below. The default password is NoPassWordSet.


  1. From the install_location\bin directory, run the ThirdPartyCertificateTool.
  2. Type the following command to create the certificate signing request for the crypto key:
    • On UNIX or Linux®, type -c -e -d "CN=EncryptCert,O=MyCompany,C=CA" 
      -r encryptRequest.csr -p keystore_password -a RSA
    • On Windows, type
      ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=MyCompany,C=CA" 
      -r encryptRequest.csr -p keystore_password -a RSA

    The distinguished name (DN) value in the command ("CN=EncryptCert,O=MyCompany,C=CA") uniquely identifies theCognos Analytics installation. The attributes that are used in this parameter reflect a hierarchical structure in your organization.

    The password that you enter for this key must be used again when you import the certificate, and again in IBM Cognos Configuration.

  3. Run the command.

    You can ignore any warnings about logging.

    Important: The certificates that are generated by your CA must be PEM (Base-64 encoded ASCII) format.


The command generates the following CSR files:

  • The CAMKeystore file in the install_location\configuration\certs directory.
  • The encryptRequest.csr file in the install_location\bin directory.

What to do next

After the CSR files are generated, perform the following steps:

  • Share the crypto key file encryptRequest.csr, or its contents, with the external CA.

    Using this key, the CA produces a crypto key certificate, a root certificate, and an intermediate certificate for the request, and shares them with your organization.

    For details about the certificate exchange process between your organization and the external CA, see the CA documentation.

  • Copy the certificates from the external CA to the Cognos Analytics installation directory, such as install_location\configuration\bin.
  • Import the certificates into your Cognos Analytics key store. For more information, see Import the certificate authority (CA) certificates.