Creating a Java keystore and Certificate Signing Request to submit to a CA

Before you can connect the IBM® Flex System Manager for mobile devices application to your IBM Flex System Manager management node, you must create a Java™ keystore on a computer that is not a part of your IBM Flex System environment.

Java comes with a utility named keytool in its bin directory that you can use to create and edit keystore files. To create a new keystore, complete the following steps:

Create a keystore by using the following command (replace the italicized options in the following examples with the options for your keystore):

keytool –genkey –alias <keystore_alias> -keyalg <encryption_algorithm>
–keystore <path_to_the_keystore_being_created> –keysize <size_of_encryption_key>

For example:

keytool –genkey –alias Flex_Manager -keyalg RSA –keystore flexStore.jks –keysize 2048

Note: Use a strong keysize; some mobile operating systems have restrictions on the keysize that they will accept.

When you are prompted, type a password for the keystore that you are creating.
Note: This password is required when you replace the keystore on the management node and for each subsequent keytool command that you run against the created keystore.
When you are prompted, type your organization and location information.
When you are prompted, type a password for the keystore alias.
Note: The keystore alias password can be the same as the previous password that you created.
After the keystore has been created, use the following command to issue a Certificate Signing Request (CSR) for the keystore (replace the italicized options in the following examples with the options for your keystore):
```
keytool -certreq -alias <keystore_alias> -keystore <path_to_the_keystore> 
-file <path_to_the_csr_file_being_created>
```
For example:
```
keytool -certreq -alias Flex_Manager -keystore flexStore.jks -file mydomain.csr
```
The Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. Send the certificate-signing request file to the CA; see the CA website for specific instructions about requesting a new certificate. You can request either a test certificate or a production certificate from the CA. However, in a production environment, you must request a production certificate.
Important: Before completing the following steps, the signed certificates must be returned from the CA.
Install the CA root and any intermediate certificates into the keystore; then, install the generated server certificate into the keystore. These certificates can be acquired from the CA used to generate the server certificate.
1. To install root and intermediate certificates (start with the root certificate first), run the following command (replace the italicized options in the following examples with the options for your keystore):
```
keytool -import -trustcacerts -alias <root_certificate_alias> -file 
<path_to_the_root_certificate> -keystore <path_to_the_keystore>
```
  For example:
```
keytool -import -trustcacerts -alias root -file root.crt -keystore flexStore.jks
```
  where root.crt is the CA root or intermediate certificate and flexStore.jks is the name of the previously generated keystore.
2. When you are prompted, select to trust the certificate being installed.
3. Repeat steps a and b for each certificate in the certificate chain.
4. Import the server certificate that was returned from the CA by running the following command (replace the italicized options in the following examples with the options for your keystore):
```
keytool -import -trustcacerts -alias <server_certificate_alias> -file 
<path_to_server_certificate> -keystore <path_to_the_keystore>
```
  For example:
```
keytool -import -trustcacerts -alias Flex_Manager_Server 
-file mydomain.crt -keystore flexStore.jks
```
  where the alias used is the alias for the server certificate, and the file provided is the server certificate file.

To install the new keystore on the IBM Flex System Manager management node, complete the procedure that is described in Installing a keystore on the management node.