Generate CSR Instructions: IBM HTTP Server

Follow these instructions to generate a Private Key and CSR for your Web site.

Before You Begin

To work with certificates on your IBM server, IBM has a tool called IBM Key Management Utility (IKEYMAN). IKEYMAN is used to create key databases, public-private key pairs, and certificate requests. In order to use IKEYMAN you have to setup your system environment to be able to run IKEYMAN.

Set up your System Environment to run IKEYMAN

Set the home where the JDK is installed: EXPORT JAVA_HOME=the JDK home directory full path name
The minimum JDK level for IKEYMAN support: On AIX: 1.1.6+ or 1.1.8, On WIN32: 1.1.8, On HP, SUN and Linux: 1.1.7
If you want the ability to run IKEYMAN from any directory, add the path where IKEYMAN is installed to your PATH environment variable: EXPORT PATH=$IKEYMAN_HOME/bin:$PATH

Starting and Using IKEYMAN

To start the IKEYMAN graphical user interface:

On AIX, Linux, or Solaris, type ikeyman on the command line.
On Windows, go to the start UI and select Start Key Management Utility.

Creating a New Key Database

Before you can start working with certificates, keys, and requests you’ve got to create a new key database. A key database is a file that the server uses to store one or more key pairs and certificates. You can use one key database for all your key pairs and certificates or create multiple databases.

To create a new key database:

Enter ikeyman on a command line on Unix or start the Key Management utility in the IBM HTTP Server folder on Windows.
Select Key Database File from the main UI, then select New.
In the New dialog box, enter your key database name or click key.kdb if you are using the default. Click OK.
In the Password Prompt dialog box, enter your correct password. Click OK.

Creating a new Key Pair and Certificate Signing Request (CSR)

Key pairs and certificate requests are stored in a key database. To create a public-private key pair and certificate request:

If you have not created the key database, see Creating a new key database above for instructions.
Enter ikeyman on a command line on Unix or start the Key Management utility in the IBM HTTP Server folder on Windows.
Select Key Database File from the main UI, then select Open.
In the Open dialog box, enter your key database name or click on key.kdb if you are using the default. Click OK.
In the Password Prompt dialog box, enter your correct password and click OK.
Select Create from the main UI, then select New Certificate Request.
In the New Key and Certificate Request dialog box, enter:
- Key Label: Enter a descriptive comment that is used to identify the key and certificate in the database.
- Keysize (1024 is recommended)

Fill in the remaining CSR information using the table below as a guide. When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters cannot be accepted: < > ~ ! @ # $ % ^ / \ ( ) ? , &

CSR Input Fields
Field	Explanation	Example
Common Name (CN) (host name, FQDN, etc.)	The fully qualified domain name for your web server. This must be an exact match.	If you intend to secure the URL https://www.domain.com, then your CSR's common name must be "www.domain.com". For https://secure.domain.com it must be "secure.domain.com". For just https://domain.com it must be just "domain.com". For https://owa.mailserver.net it must be "owa.mailserver.net". A Wildcard for https://sub.primary-domain.com must be "*.primary-domain.com". The asterisk must be included for Wildcard CSR's.
Organization (O)	The exact legal name of your organization. Do not abbreviate your organization name.	Metro Realty LLC or Flowers by Jenny
Organizational Unit (OU)	Section of the organization	Sales Division or IT or Marketing
City or Locality (L)	The city where your organization is legally located. Cannot be abbreviated.	Boston
State (S) or Province	The state or province where your organization is legally located. Cannot be abbreviated.	Massachusetts
Country (C)	The two-letter ISO abbreviation for your country.	US, CA, GB, (must be two-letters)
Email	Any email address. This field is arbitrary but must be filled in. GeoTrust will not use this email address to process your order.	user@domain.com
Key Bit Length	The key bit length has to do with the initial key exchange, not the encryption strength of your certificate.	GeoTrust recommends a key bit length of at least 1024

Click OK.
In the Information dialog box, click OK. You will be reminded to send the file to a certificate authority.
Save a copy of your CSR. The CSR will be needed during the purchase process. You'll be asked to copy-and-paste your CSR into a special CSR box.

Below is an example of what your CSR will look like. This is a example only and cannot be used to generate your SSL certificate. -----BEGIN CERTIFICATE REQUEST----- MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAw DgYDVQQHEwdBdGxhbnRhMREwDwYDVQQKEwhHZW9DZXJ0czEaMBgGA1UECxMRSW5l cm5ldCBNYXJrZXRpbmcxGTAXBgNVBAMTEHd3dy5nZW9jZXJ0cy5jb20xITAfBgkq hkiG9w0BCQEWEmFkbWluQGdlb2NlcnRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA5KOi+RnRzBuBQeFYjrwZg1sfT7zr4L8j0Khuoj621x+lGBmFC76c kGclUIQBmuyp9T9NrNqAjGtEmgdFr6cWLJtgXgi+BaZDLX9BMYF49NuTggNoEUMX crQRAENHb2YthG2SEcF5p98RNcDPzWOA3a4AMvgkxDlDGYUhbcQhnt0CAwEAAaAA MA0GCSqGSIb3DQEBBAUAA4GBAIapt6Tw0BTYUwEAX0/oKvaaN/ghErR85jdW7xOD b1hL0yNfb495A7e/IQyBEP5a/v+QUOtibHS4geiPhH9etAI+DSQmctjbf6dMGJql gCXGwlsTbjPOSmNT+/X2Uvf1BlplwqAMDghEuFHsjshlypz1NEg94ri2K9N1VrBs +iAv -----END CERTIFICATE REQUEST-----

These instructions are derived from documentation on the IBM web site:

Learn more about securing your IBM HTTP Server
Learn more about securing your IKEYMAN at IBM