These instructions assume that you already own your IBM Bluemix account and that you have configured the custom domain for your application. For more information, visit IBM Cloud Bluemix. If you need instructions for IBM Watson IoT Platform, see IBM Watson IoT Platform: Create CSR & Install Messaging Server SSL Certificate for Your Watson IoT Organization (OpenSSL).
Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL certificate.
To create your certificate signing request (CSR), see IBM Bluemix: Creating Your CSR with OpenSSL.
To install your SSL certificate, see IBM Bluemix: Using OpenSSL & Bluemix Console to Install Your SSL Certificate.
If you're looking for a simpler way to create CSRs and install and manage your SSL certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and install your SSL certificate. See IBM Bluemix: Create CSR & Install SSL Certificate (DigiCert Utility).
Use the instructions below for using OpenSSL to create your own shell commands for generating your IBM Bluemix CSR.
How to Generate a CSR for IBM Bluemix Using OpenSSL
If you prefer, you can build your own shell commands for generating your IBM Bluemix CSR.
Use your terminal client (ssh) to log into your server/workstation.
At the prompt, enter the following command:
openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr
You have now started the process for generating the following two files:
When prompted for the Common Name (domain name), type the fully qualified domain name (FQDN) for the site that you are going to secure.
When prompted, type your organizational information, beginning with your geographic information.
Open the .csr file that you created with a text editor.
Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.
Save the (back up) the generated .key file. You need it later when installing your SSL certificate.
After you receive your SSL certificate from DigiCert, you can install it.
If you have not yet created a certificate signing request (CSR) and ordered your certificate, see IBM Bluemix | Creating Your CSR with OpenSSL.
After receiving your SSL certificate, you need to copy it to your server/workstation, upload it to your IBM Bluemix account, and then configure your application to use it.
Copy the SSL Certificate File to Your Server/Workstation
Download your Intermediate (DigiCertCA.crt) and Primary Certificate (your_domain_name.crt) files from your DigiCert account, then copy them to the directory on your server/workstation where you will keep your certificate and key files. Make them readable by the root only.
Once you have the private key and certificate files, you can upload them to your IBM Bluemix account and configure your application to use them.
Upload the SSL Certificate to Your IBM Bluemix Account
In a browser, open and log into the IBM Bluemix account.
On the Dashboard, select the application you want the SSL certificate to secure.
On the app Overview page, next to View app, click the down arrow and select Manage domains.
On the Manage Organizations page, on the Domains tab, to the right of the application in the SSL Certificate column, click the upload symbol.
In the Upload Certificate window, do the following:
Certificate: | Click Browse. Then locate and select your server certificate .crt file (e.g., star_digicert_support.crt). |
Private Key: | Click Browse. Then locate and select your private key .key file (e.g., star_digicert_support.key). |
Intermediate Certificate: | Click Browse. Then, locate and select the intermediate certificate .crt file (e.g., DigiCertCA.crt). |
When you are finished, click Upload.
Configure Your Application to Use the SSL Certificate
Within the Manage Organizations section, on the Add Domain page, to the right of the application in the SSL Certificate column, you should see a green certificate symbol.
Click the green certificate symbol to view the uploaded certificate.
To verify that your application is using your SSL certificate, do the following:
Navigate to the application Dashboard.
On the Dashboard, select the application that you secured with the SSL certificate.
On the app Overview page, next to View app, click the down arrow and select Edit routes.
In the Edit routes window, to the right of the application you just secured, click the green lock to verify that the route has been secured.
As a final check, open your application in a browser and the address bar. Click on the green lock to the left of the URL and view the certificate details.
Congratulations! You have successfully installed your application's SSL certificate.