You can create a self-signed certificate to be used as server communication certificate.
Alternatively, you can create a certificate signing request (CSR) and manually send the request to a
certificate authority (CA) for signing and then import the signed certificate.
About this task
For example, you can use certificates to secure communication between IBM Security Guardium Key Lifecycle Manager and a client device. If you create a
certificate signing request file, the generated certificate signing request file is stored in the
SKLM_HOME directory.
Your role must have the permission to the
configure action to create a TLS or KMIP
certificate.
Before you begin, consider the following points:
- Whether you can use self-signed certificates during a phase in your project such as a test
phase.
- The time interval that is needed to receive a CA-issued certificate after a request is sent. You
must manually send a certificate request to the issuing authority.
- Whether your site requires partner certificates for use with Business Partners, vendors, or for
disaster recovery purposes.
- The customary setting in days for a certificate validity interval.
Procedure
-
Using graphical user interface
-
Log in to the graphical user interface.
- Go to .
- In the Server Certificates tab, click
Create.
The Create TLS/KMIP Certificate
dialog box is displayed.
-
Select whether to create a self-signed certificate or to create a certificate signing
request.
-
Specify values for the following required fields.
| Fields |
Description |
| Certificate label in keystore |
Specify a unique name or alias for the certificate. For a certificate signing request,
retain a record of the alias value of the certificate signing request for use when you import the
returned certificate.
|
| Certificate description |
Specify the common name for the certificate. |
| Validity period for new certificate |
Specify a time interval in days during which the certificate is valid. The interval ranges
from 1 day to 9000 days. |
| Algorithm |
Select one of the following encryption algorithms:
|
| Use this certificate for |
This field is shown for only self-signed certificates. Select one or more of the following
usage types for the certificate:
- Key serving: Select this option to use the certificate for key serving
over IPP and KMIP.
- UI access: Select this option to use the certificate to access GUI,
Swagger UI, REST APIs, and for REST-based key serving.
- EKMF Web: Select this option to use the certificate for establishing
secure communication between IBM Security Guardium Key Lifecycle Manager and EKMF Web.
The Key serving usage type is selected by default.
In addition
to these usage types, the Usage column might show Not in
use or Unknown for the certificates that do not have a valid
usage type.
The Not in use usage type is shown for a certificate
signing request (CSR). The CSR file cannot be used for any operations until you import the signed
certificate. The Unknown or Not in use usage types are
also shown for the certificate that was earlier used for UI access or key serving, but was replaced
by a new certificate for UI access or key serving.
|
- Specify values for the optional fields.
| Field |
Description |
| Subject alternative name |
Subject alternative name (SAN) is used to associate multiple values, such as
domain names and IP addresses, with a single server certificate. Specify the values for the
following fields: DNS names, RFC822 names,
URI names, and IP address. |
| DNS Names |
Specify the DNS names. You can specify multiple DNS names as comma-separated
values. For example, example.com, another.domain.com. |
| RFC822 Names |
Specify the RFC822 email address. For example,
someone@example.com. |
| URI Names |
Specify the URI names. For example,
http://example.com. |
| IP Addresses |
Specify the IP addresses. You can specify multiple IP addresses as comma-separated values.
For example, 204.146.30.17. |
| Organizational unit name |
Specify the organizational unit name. |
| Organization name |
Specify the organizational name. |
| City or locality |
Specify the city or the locality. |
| State or province |
Specify the state name. |
| Country |
Specify the two-letter country code. For example, US for
United States. |
- Click Create Certificate.
The certificate is
listed in the Server Certificates table. In the table, double-click the
certificate to view the certificate details.
- If you created a certificate signing request, send it to a certificate authority (CA).
After you receive the signed certificate from the CA, import it to the IBM Security Guardium Key Lifecycle Manager server. For instructions, see Importing a server certificate.
-
Using REST interface
-
Open the Swagger UI. For more information, see Using Swagger UI.
-
Authenticate and authorize to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the
authentication process, see Authentication process for REST services.
- Go to the System communication certificates management
section.
-
Run Create System Certificate REST Service to create a system
certificate.
For example, to create a self-signed certificate, you can send the following
HTTP request:
POST https://localhost:port/SKLM/rest/v1/system/certificates
{
"type": "self-signed",
"alias": "server_cert",
"cn": "server_cert",
"algorithm": "ECDSA",
"ou": "abc",
"o": "abc",
"country": "US",
"state": "abc",
"locality": "abc",
"usageSubtype": "SERVERGUI_TLS",
"validity": "100"
}
}
For example, to create a certificate signing request, you can send the
following HTTP
request:
POST https://localhost:port/SKLM/rest/v1/system/certificates?usageSubtype=SERVERGUI_TLS
{
"type": "certreq",
"alias": "server_certreq2",
"cn": "server_certreq2",
"algorithm": "RSA",
"ou": "abc",
"o": "abc",
"country": "US",
"state": "abc",
"locality": "abc",
"usageSubtype": "SERVERGUI_TLS",
"validity": "100",
"fileName": "server_certreq2.csr"
}
- If you created a certificate signing request, send it to a certificate authority (CA).
After you receive the signed certificate from the CA, import it in IBM Security Guardium Key Lifecycle Manager by using the Import System Certificate REST Service.