Creating a certificate request

Edit online

You can create a certificate signing request (CSR) and manually send the request to a certificate authority (CA) for signing. You can then import the signed certificate.

About this task

Before you begin, determine your site policy and process to obtain certificates that are issued by a certificate authority. You can create a certificate signing request, send it to a certificate authority (CA), and import the signed certificate from the CA in IBM® Guardium® Key Lifecycle Manager.

Procedure

  • Using a graphical user interface
    1. Log in to IBM Guardium Key Lifecycle Manager graphical user interface.
    2. On the home page, click the menu icon (Menu icon) at the upper left of the page.
    3. Click Configuration > System certificates.
    4. On the System certificates page, click Server certificates > Create or import certificates.
    5. Select Request certificate from a certificate authority(CA).
    6. Specify values for the following required fields.
      Fields Description
      Certificate label in keystore Specify a unique name or alias for the certificate.

      For a certificate signing request, retain a record of the alias value of the certificate signing request for use when you import the returned certificate.
      Certificate description (common name) Specify the common name for the certificate.
      Validity period for new certificate Specify a time interval in days during which the certificate is valid. The interval ranges from 1 day to 9000 days.
      Algorithm Select one of the following encryption algorithms:
      • RSA
      • ECDSA
    7. Specify values for the optional fields.
      Field Description
      Subject alternative name Subject alternative name (SAN) is used to associate multiple values, such as domain names and IP addresses, with a single server certificate. Specify the values for the following fields: DNS names, RFC822 names, URI names, and IP address.
      DNS names Specify the DNS names. You can specify multiple DNS names as comma-separated values. For example, example.com, another.domain.com.
      RFC822 names Specify the RFC822 email address. For example, someone@example.com.
      URI names Specify the URI names. For example, http://example.com.
      IP address Specify the IP addresses. You can specify multiple IP addresses as comma-separated values. For example, 204.146.30.17.
      Organizational unit name Specify the organizational unit name.
      Organization name Specify the organizational name.
      City or location Specify the city or the location.
      State or province Specify the state name.
      Country Specify the two-letter country code. For example, US for United States.
    8. Click Create certificate.
      The certificate signing request is listed in the Server certificates tab.
    9. Select the certificate that you want to send for signing and click the overflow menu icon Options.
    10. From the overflow menu options, click Download.
    11. Send the downloaded CSR file to a certificate authority (CA) for signing.
    12. After you receive the signed certificate from the CA, import it to the IBM Guardium Key Lifecycle Manager server. For instructions, see Importing a CA-signed certificate or a certificate chain of trust.
  • Using a REST interface
    1. Open the Swagger UI. For more information, see Using Swagger UI.
    2. Authenticate and authorize to access IBM Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Go to the System communication certificates management section.
    4. Run Create System Certificate REST Service to create a certificate signing request.
      For example, to create a certificate signing request, you can send the following HTTP request:
      POST https://localhost:port/GKLM/rest/v1/system/certificates?usageSubtype=SERVERGUI_TLS
{
  "type": "certreq",
  "alias": "server_certreq2",
  "cn": "server_certreq2",
  "algorithm": "RSA",
  "ou": "abc",
  "o": "abc",
  "country": "US",
  "state": "abc",
  "locality": "abc",
  "usageSubtype": "SERVERGUI_TLS",
  "validity": "100",
  "fileName": "server_certreq2.csr"
}
    5. Send the certificate signing request file to a certificate authority (CA). After you receive the signed certificate from the CA, import it in IBM Guardium Key Lifecycle Manager by using the Import System Certificate REST Service.

What to do next

Manually send the certificate request to a certificate authority by using the secure communication process that your organization provides. Also, retain the alias value of the certificate request, for use when you import the returned certificate, which must match a certificate request.