Use the Create Certificate dialog or the Certificate
Generate Request REST Service to create certificate signing requests.
About this task
Before you begin, determine your site policy and process to obtain certificates that are issued
by a certificate authority. You can create a certificate signing request, send it to a certificate
authority (CA), and import the signed certificate from the CA in IBM® Security Guardium® Key Lifecycle Manager.
Procedure
-
Using graphical user interface
-
Log in to the graphical user interface.
- Go to .
- In the Server Certificates tab, click
Create.
The Create TLS/KMIP Certificate
dialog box is displayed.
-
Select Request certificate from a third-party provider.
-
Specify values for the following required fields.
Fields |
Description |
Certificate label in keystore |
Specify a unique name or alias for the certificate. For a certificate signing request,
retain a record of the alias value of the certificate signing request for use when you import the
returned certificate.
|
Certificate description |
Specify the common name for the certificate. |
Validity period for new certificate |
Specify a time interval in days during which the certificate is valid. The interval ranges
from 1 day to 9000 days. |
Algorithm |
Select one of the following encryption algorithms:
|
- Specify values for the optional fields.
Field |
Description |
Subject alternative name |
Subject alternative name (SAN) is used to associate multiple values, such as
domain names and IP addresses, with a single server certificate. Specify the values for the
following fields: DNS names, RFC822 names,
URI names, and IP address. |
DNS names |
Specify the DNS names. You can specify multiple DNS names as comma-separated
values. For example, example.com, another.domain.com . |
RFC822 names |
Specify the RFC822 email address. For example,
someone@example.com . |
URI names |
Specify the URI names. For example,
http://example.com . |
IP address |
Specify the IP addresses. You can specify multiple IP addresses as comma-separated values.
For example, 204.146.30.17 . |
Organizational unit name |
Specify the organizational unit name. |
Organization name |
Specify the organizational name. |
City or locality |
Specify the city or the locality. |
State or province |
Specify the state name. |
Country |
Specify the two-letter country code. For example, US for
United States. |
- Click Create Certificate.
The certificate
signing request is listed in the Server Certificates table. In the table,
double-click the certificate signing request to view its details.
- In the row of the certificate request file, click the download icon. Send the
downloaded CSR file to a certificate authority (CA) to sign it.
- After you receive the signed certificate from the CA, import it to the IBM Security Guardium Key Lifecycle Manager server. For instructions, see Importing a CA-signed certificate or a certificate chain of trust.
-
Using REST interface
-
Open the Swagger UI. For more information, see Using Swagger UI.
-
Authenticate and authorize to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the
authentication process, see Authentication process for REST services.
- Go to the System communication certificates management
section.
-
Run Create System Certificate REST Service to create a certificate
signing request.
For example, to create a certificate signing request, you can send the
following HTTP
request:
POST https://localhost:port/SKLM/rest/v1/system/certificates?usageSubtype=SERVERGUI_TLS
{
"type": "certreq",
"alias": "server_certreq2",
"cn": "server_certreq2",
"algorithm": "RSA",
"ou": "abc",
"o": "abc",
"country": "US",
"state": "abc",
"locality": "abc",
"usageSubtype": "SERVERGUI_TLS",
"validity": "100",
"fileName": "server_certreq2.csr"
}
- Send the certificate signing request file to a certificate authority (CA). After you
receive the signed certificate from the CA, import it in IBM Security Guardium Key Lifecycle Manager by using the Import System Certificate REST Service.
What to do next
Manually send the certificate request to a certificate
authority, by using the secure communication process that your organization
provides. Additionally, retain the alias value of the certificate
request, for use when you import the returned certificate, which must
match a certificate request.