Creating a certificate request

Use the Create Certificate dialog or the Certificate Generate Request REST Service to create certificate signing requests.

About this task

Before you begin, determine your site policy and process to obtain certificates that are issued by a certificate authority. You can create a certificate signing request, send it to a certificate authority (CA), and import the signed certificate from the CA in IBM® Security Guardium® Key Lifecycle Manager.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface.
    2. Go to Advanced Configuration > System Certificates.
    3. In the Server Certificates tab, click Create.
      The Create TLS/KMIP Certificate dialog box is displayed.
    4. Select Request certificate from a third-party provider.
    5. Specify values for the following required fields.
      Fields Description
      Certificate label in keystore Specify a unique name or alias for the certificate.

      For a certificate signing request, retain a record of the alias value of the certificate signing request for use when you import the returned certificate.

      Certificate description Specify the common name for the certificate.
      Validity period for new certificate Specify a time interval in days during which the certificate is valid. The interval ranges from 1 day to 9000 days.
      Algorithm Select one of the following encryption algorithms:
      • RSA
      • ECDSA
    6. Specify values for the optional fields.
      Field Description
      Subject alternative name Subject alternative name (SAN) is used to associate multiple values, such as domain names and IP addresses, with a single server certificate. Specify the values for the following fields: DNS names, RFC822 names, URI names, and IP address.
      DNS names Specify the DNS names. You can specify multiple DNS names as comma-separated values. For example, example.com, another.domain.com.
      RFC822 names Specify the RFC822 email address. For example, someone@example.com.
      URI names Specify the URI names. For example, http://example.com.
      IP address Specify the IP addresses. You can specify multiple IP addresses as comma-separated values. For example, 204.146.30.17.
      Organizational unit name Specify the organizational unit name.
      Organization name Specify the organizational name.
      City or locality Specify the city or the locality.
      State or province Specify the state name.
      Country Specify the two-letter country code. For example, US for United States.
    7. Click Create Certificate.
      The certificate signing request is listed in the Server Certificates table. In the table, double-click the certificate signing request to view its details.
    8. In the row of the certificate request file, click the download icon. Send the downloaded CSR file to a certificate authority (CA) to sign it.
    9. After you receive the signed certificate from the CA, import it to the IBM Security Guardium Key Lifecycle Manager server. For instructions, see Importing a CA-signed certificate or a certificate chain of trust.
  • Using REST interface
    1. Open the Swagger UI. For more information, see Using Swagger UI.
    2. Authenticate and authorize to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Go to the System communication certificates management section.
    4. Run Create System Certificate REST Service to create a certificate signing request.
      For example, to create a certificate signing request, you can send the following HTTP request:
      POST https://localhost:port/SKLM/rest/v1/system/certificates?usageSubtype=SERVERGUI_TLS
      {
        "type": "certreq",
        "alias": "server_certreq2",
        "cn": "server_certreq2",
        "algorithm": "RSA",
        "ou": "abc",
        "o": "abc",
        "country": "US",
        "state": "abc",
        "locality": "abc",
        "usageSubtype": "SERVERGUI_TLS",
        "validity": "100",
        "fileName": "server_certreq2.csr"
      }
    5. Send the certificate signing request file to a certificate authority (CA). After you receive the signed certificate from the CA, import it in IBM Security Guardium Key Lifecycle Manager by using the Import System Certificate REST Service.

What to do next

Manually send the certificate request to a certificate authority, by using the secure communication process that your organization provides. Additionally, retain the alias value of the certificate request, for use when you import the returned certificate, which must match a certificate request.