Creating a server certificate

You can specify the self-signed certificate to be used as server communication certificate. Alternatively, you can create requests for certificates and manually send the request to a certificate authority (CA) for signing.

About this task

For example, you can use certificates to secure the communication between IBM® Security Guardium® Key Lifecycle Manager and a tape library. The generated certificate request files reside in the SKLM_HOME directory. A sample certificate request file: C:\Program Files\IBM\WebSphere\AppServer\products\sklm\171029122037–sslcert001.csr.

Your role must have the permission to the configure action to create a TLS or KMIP certificate.

Before you begin, consider the following points:

  • Whether you can use self-signed certificates during a phase in your project such as a test phase.
  • The time interval that is needed to receive a CA-issued certificate after a request is sent. You must manually send a certificate request to the issuing authority.
  • Whether your site requires partner certificates for use with business partners, vendors, or for disaster recovery purposes.
  • The customary setting in days for a certificate validity interval.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface. Click IBM Security Guardium Key Lifecycle Manager > Configuration > TLS/KMIP.
    2. Select whether to generate a self-signed certificate, request a certificate from a third-party provider, or use an existing certificate from the keystore.
    3. Specify values for the required and optional fields, and click OK.
    Review and complete the steps under the Next steps section.
  • Using REST interface
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run Certificate Generate Request REST Service.
      Example 1: Create a self-signed certificate:
      POST https://localhost:<port>/SKLM/rest/v1/certificates
      {"type":"selfsigned","alias":"sklmCertificate","cn":"sklm","ou":"sales",
      "o":"myCompanyName","usage":"3592","country":"US","validity":"999", " 
      algorithm ": " RSA "  }
      Example 2: Obtain a certificate from a certificate authority:
      POST https://localhost:<port>/SKLM/rest/v1/certificates
      {"type":"certreq","alias":"sklmCert","cn":"sklm","ou":"sales","o":
      "myCompanyName","usage":"3592","country":"US","validity":"999","fileName":
      "myCertRequest1.crt","algorithm":"ECDSA"}