Creating a certificate request

You can create a certificate signing request (CSR) and manually send the request to a certificate authority (CA) for signing. You can then import the signed certificate.

• Using a graphical user interface
  1. Log in to IBM Guardium Key Lifecycle Manager graphical user interface.
  2. On the home page, click the menu icon () at the upper left of the page.
  3. Click Configuration > System certificates.
  4. On the System certificates page, click Server certificates > Create or import certificates.
  5. Select Request certificate from a certificate authority(CA).
  6. Specify values for the following required fields.

     Fields	Description
     Certificate label in keystore	Specify a unique name or alias for the certificate. For a certificate signing request, retain a record of the alias value of the certificate signing request for use when you import the returned certificate.
     Certificate description (common name)	Specify the common name for the certificate.
     Validity period for new certificate	Specify a time interval in days during which the certificate is valid. The interval ranges from 1 day to 9000 days.
     Algorithm	Select one of the following encryption algorithms: RSA ECDSA

  7. Specify values for the optional fields.

     Field	Description
     Subject alternative name	Subject alternative name (SAN) is used to associate multiple values, such as domain names and IP addresses, with a single server certificate. Specify the values for the following fields: DNS names, RFC822 names, URI names, and IP address.
     DNS names	Specify the DNS names. You can specify multiple DNS names as comma-separated values. For example, example.com, another.domain.com.
     RFC822 names	Specify the RFC822 email address. For example, someone@example.com.
     URI names	Specify the URI names. For example, http://example.com.
     IP address	Specify the IP addresses. You can specify multiple IP addresses as comma-separated values. For example, 204.146.30.17.
     Organizational unit name	Specify the organizational unit name.
     Organization name	Specify the organizational name.
     City or location	Specify the city or the location.
     State or province	Specify the state name.
     Country	Specify the two-letter country code. For example, US for United States.

  8. Click Create certificate.
     The certificate signing request is listed in the Server certificates tab.
  9. Select the certificate that you want to send for signing and click the overflow menu icon .
  10. From the overflow menu options, click Download.
  11. Send the downloaded CSR file to a certificate authority (CA) for signing.
  12. After you receive the signed certificate from the CA, import it to the IBM Guardium Key Lifecycle Manager server. For instructions, see Importing a CA-signed certificate or a certificate chain of trust.
• Using a REST interface
  1. Open the Swagger UI. For more information, see Using Swagger UI.
  2. Authenticate and authorize to access IBM Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
  3. Go to the System communication certificates management section.
  4. Run Create System Certificate REST Service to create a certificate signing request.
     For example, to create a certificate signing request, you can send the following HTTP request:

     POST https://localhost:port/GKLM/rest/v1/system/certificates?usageSubtype=SERVERGUI_TLS
     {
       "type": "certreq",
       "alias": "server_certreq2",
       "cn": "server_certreq2",
       "algorithm": "RSA",
       "ou": "abc",
       "o": "abc",
       "country": "US",
       "state": "abc",
       "locality": "abc",
       "usageSubtype": "SERVERGUI_TLS",
       "validity": "100",
       "fileName": "server_certreq2.csr"
     }

  5. Send the certificate signing request file to a certificate authority (CA). After you receive the signed certificate from the CA, import it in IBM Guardium Key Lifecycle Manager by using the Import System Certificate REST Service.