Kunnskapsbase

Description

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, one, your SSL Certificate will no longer match and a replacement has to be made.

Geotrust recommends that you contact IBM for additional information.

Generate Keypair and CSR

NOTE: A key length of 1024 bit is the default, but Geotrust recommends the use of a 2048 bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyond December 31, 2013, the 2048 bit key length will need to be selected.

Step 1: Preparing your system to use the iKeyman utility.

1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).  
   Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.  
2. Be sure to set the following:
   • Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
   • Ensure that the user's path contains /usr/bin.
   • Set the JAVA_HOME environment variable:

1. AIX: export JAVA_HOME =/usr/mqm/ssl/jre 
2. HP-UX: export JAVA_HOME =/opt/mqm/ssl 
3. Linux: export JAVA_HOME =/opt/mqm/ssl/jre 
4. Solaris: export JAVA_HOME =/opt/mqm/ssl
   
   
   1. Open the iKeyman GUI, or use the UNIX or Windows command line to do one of the following: 
      

      Using the iKeyman GUI:
      Choose New from the Key Database File menu. Click Key database type, and select CMS. Type values for File Name and Location, and set a password.

      Using iKeycmd (UNIX command line)
      Use these commands:   
      gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash 
       
      Using iKeycmd (Windows command line): 
      Use these commands: 
      runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash where:

      • db filename is the fully qualified name of a CMS key database, with an extension .kdb.
      • pw password is the password for the CMS key database, with an extension .cms.
      • type cms is the type of database.
      • expire days is the expiration time in days of the database password. The default is 60 days.
      • stash tells iKeycmd to stash the key database password to a file.
   1. If you are running UNIX, run chmod to give access to an MCA. For example:
      •     chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb
      •     chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth
   2. If you are running a queue manager, change the key repository location. For example:
      • ALTER QMGR SSLKEYR ('/var/mqm/qmgrs/QM1/ssl/MyKey')
   1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
   2. In the iKeyman GUI, choose Open from the Key Database File menu. Click Key database type, and select CMS.
   3. Click Browse to navigate to the directory containing the key database files.
   4. Select the appropriate key database file, for example key.kdb.
   5. Click Open.
   6. Type the key database password and click OK.
   7. Click New Certificate Request from the Create menu.
   8. Type the following in the Key Label field:
      • For a queue mananger, ibmwebspheremq followed by the name of your queue manager (in lowercase). For example, for QM1, type ibmwebspheremqqm1.
      • For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example, ibmwebspheremqmyuserid.
   9. Type values for Common Name, Organization, Organizational Unit, City/Locality, State/Province and select a Countryfrom the list.
   10. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new pathname.
   11. Click OK. When the confirmation window displays, click OK again.
   12. The file you created contains the CSR. Submit the CSR to Geotrust.
   13. To generate a CSR in iKeycmd (using UNIX command line), use these commands:
       • gsk7cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename
       • runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename
       • db filename is the fully qualified name of a CMS key database, with an extension .kdb.
       • pw password is the password for the CMS key database, with an extension .cms.
       • label label is the key label attached to the certificate.
       • dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the  CN, O, and C attributes are required, and that you can supply only one OU attribute.
       • size key_size is the key size. We recommend that you make this value 2048
       • file filename is the filename for the certificate request.

   To generate a CSR in iKeycmd (using Windows command line), use these commands:

5. The file you created contains the CSR. Submit the CSR to Geotrust.

Step 2: Setting up a key repository.

On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

Step 3: Generating a CSR.Using the iKeyman GUI

Using iKeycmd (command line interface)