Ask a Question

Advanced Search

Solution ID : SO22433

Last Modified : 05/31/2019

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for IBM HTTP Server running IKEYMAN


This document provides instructions for generating a Certificate Signing Request (CSR) for IBM HTTP Server running IKEYMAN.  If you are unable to use these instructions for your server, DigiCert recommends that you contact IBM.
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.

Step 1: Create a Key Database File (.kdb)

  1. Open the IKEYMAN Utility 

    On Windows click Start > Programs > IBM HTTP Server > Start Key Management Utility.

    On UNIX  platforms, start the iKeyman utility by running: /IHS root/bin/
  2. From the Menu Bar select Key Database File.
  3. Click on NEW.
  4. Type in a file name of new Key Database file.
  5. Specify the location on the harddrive where the .kdb file will be stored.
  6. Click OK.

  7. Enter a password.
    NOTE: This is the password that will be used to open the .kdb file in IKEYMAN in the future.
  8. Make sure to click the box that states Stash the password to a file?
    NOTE: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.

  9. Click OK.

Step 2: Generate the CSR

  1. Open the Key Database File(.kdb) using the IKEYMAN utility.
  2. In the middle of the IKEYMAN GUI, there will be a section called Key database content.
  3. Click on the "down arrow" to the right, to display a list of three choices.
  4. Select Personal Certificate Requests.

  5. From the Personal Certificate Requests section, click New.

  6. Fill out the required information:

    • Key Label is the name used to identify certificate in IKEYMAN..
    • Key Size must be at least 2048 bits.  If 2048 is not available, the server software will need to be updated.
    • Common Name (CN): The fully-qualified domain name to which your certificate will be issued.
    • Organization (O): The full legal name of your company.
    • Organizational Unit (OU): Use this field to differentiate between divisions within an organization.
    • Country Name (C): Enter the two-character abbreviation of country in which organization resides (e.g. US).
    • Locality or City (L): Usually the city of your organization's main office, or a main office for your organization.
    • State or Province (S): Enter the full name of your state or province.
      Note: Make sure the State or Province is not abbreviated (e.g. California).
  7. Enter the name of a file in which to store the certificate request.
    NOTE: Saving this file(.arm) in the same directory as the (.kdb) file is recommended.
  8. Once the (.arm) file is saved, this completes the CSR generation process
  9. Verify your CSR
  10. Proceed with Enrollment.

Once the SSL certificate has been issued, follow the steps from this link to install it on the server.

          For more information refer to IBM documentation
          For more information for creating a key with SHA algorythm, please click here