Ask a Question

Advanced Search

Solution ID : SO6229

Last Modified : 06/12/2019

Certificate Signing Request (CSR) Generation Instructions for IBM HTTP Server running IKEYMAN


This document provides instructions for generating a Certificate Signing Request (CSR) for IBM HTTP Server running IKEYMAN.  If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.

Step 1. Create a Key Database File (.kdb)

  1. Open the IKEYMAN Utility 

    On Windows click Start > Programs > IBM HTTP Server > Start Key Management Utility.

    On UNIX  platforms, start the iKeyman utility by running: /IHS root/bin/
  2. From the Menu Bar select "Key Database File"
  3. Click on NEW
  4. Type in a file name of new Key Database file
  5. Specify the location on the hard drive where the .kdb file will be stored
  6. Click OK

  7. Enter a password
    NOTE: This is the password that will be used to open the .kdb file in IKEYMAN in the future
  8. Make sure to click the box that states "Stash the password to a file?"
    NOTE: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.

  9. Click OK

Step 2. Generate the CSR

  1. Open the Key Database File (.kdb) using the IKEYMAN utility
  2. In the middle of the IKEYMAN GUI, there will be a section called "Key database content"
  3. Click on the "down arrow" to the right, to display a list of three choices
  4. Select "Personal Certificate Requests"

  5. From the Personal Certificate Requests section, click New

  6. Fill out the required information
    • Key Label is the name used to identify certificate in IKEYMAN
      NOTE: Using the site name (for example, as the label is a good practice.
    • Key Size must be at least 2048 bits
      If the 2048 bit Key Size does not appear in the drop down list, refer to IBM Support
    • Common Name (CN): The Common Name is the Host + Domain Name. It looks like "" or "".
      NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "" will receive a warning if accessing a site named "".
    • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
    • Organizational Unit (OU): This field is the name of the department or organization unit making the request.
    • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
    • Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
    • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
  7. Enter the name of a file in which to store the certificate request
    NOTE: Saving this file(.arm) in the same directory as the (.kdb) file is recommended
  8. Once the (.arm) file is saved, this completes the CSR generation process
  9. Verify your CSR
  10. Proceed with Enrollment

Once the SSL certificate has been issued follow these steps for installation

          For more information refer to IBM documentation
          For more information for creating a key with SHA algorythm, please click here