[AIX Solaris HP-UX Linux Windows]

Creating a self-signed certificate

It usually takes two to three weeks to get a certificate from a well known certificate authority (CA). While waiting for a certificate to be issued, use IKEYMAN to create a self-signed server certificate to enable SSL sessions between clients and the server. Use this procedure if you act as your own CA for a private Web network.

About this task

Complete the following steps to create a self-signed certificate:


  1. If you have not created the key database, see Creating a new key database for instructions.
  2. Start the IKEYMAN user interface.
  3. Click Key Database File from the main UI, and then click Open.
  4. Enter your key database name in the Open dialog box, or click the key.kdb file, if you use the default. Click OK.
  5. In the Password Prompt dialog box, enter your correct password and click OK.
  6. Click Personal Certificates in the Key Database content frame, and click the New Self-Signed radio button.
  7. Enter the following information in the Password Prompt dialog box:
    • Key label: Enter a descriptive comment to identify the key and certificate in the database.
    • Key size: Choose your level of encryptions from the drop-down menu.
    • Common Name: Enter the fully qualified host name of the Web server as the common name. Example: www.myserver.com.
    • Organization Name: Enter your organization name.
    • Optional: Organization Unit
    • Optional: Locality
    • Optional: State/Province
    • Optional: Zip code
    • Country: Enter a country code. Specify at least two characters. Example: US Certificate request file name, or use the default name.
    • Validity Period

    A checksum of the certificate request is cryptographically signed with the new private key, and contains a copy of the new public key. The public key can then be used by a certificate authority to validate that the certificate signing request (CSR) has not been tampered with. Some certificate authorities might require that the checksum that is signed by the public key be calculated with a stronger algorithm such as SHA-1 or SHA-2 (SHA-256, SHA-384, SHA-256).

    This checksum is a the "Signature Algorithm" of the CSR.
    Note: IBM HTTP Server 8.0 ships IKEYMAN version 8.x. When using IKEYMAN version 8.x to create a certificate request, the user is asked to select a signature algorithm from a pull-down list.

    Subject Alternate Name (SAN) extensions are fields in a certificate request that inform SSL Clients of alternate hostnames that correspond to the signed certificate. Normal certificates (issued without a wildcard string in their Distinguished Name) are only valid for a single hostname. For example, a certificate created for example.com is not valid on www.example.com unless a Subject Alternate Name of "www.example.com" is added to the certificate. A certificate authority may charge an additional fee if your certificate contains 1 or more SAN extensions.

  8. Click OK.