Knowledge Base

Create a CSR & install your SSL certificate using OpenSSL

These instructions assume that you already own your IBM Bluemix account and that you have configured the custom domain for your application. For more information, visit IBM Cloud Bluemix. If you need instructions for IBM Watson IoT Platform, see IBM Watson IoT Platform: Create CSR & Install Messaging Server SSL Certificate for Your Watson IoT Organization (OpenSSL).

Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL certificate.

1. To create your certificate signing request (CSR), see IBM Bluemix: Creating Your CSR with OpenSSL.

2. To install your SSL certificate, see IBM Bluemix: Using OpenSSL & Bluemix Console to Install Your SSL Certificate.

If you're looking for a simpler way to create CSRs and install and manage your SSL certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and install your SSL certificate. See IBM Bluemix: Create CSR & Install SSL Certificate (DigiCert Utility).

IBM Bluemix | Creating Your CSR with OpenSSL

Use the instructions below for using OpenSSL to create your own shell commands for generating your IBM Bluemix CSR.

Recommended: Save yourself some time. Use the DigiCert OpenSSL CSR Wizard to generate an OpenSSL command for creating your IBM Bluemix CSR. Just fill in the form details, click Generate, and then paste your customized OpenSSL command into your terminal.

How to Generate a CSR for IBM Bluemix Using OpenSSL

If you prefer, you can build your own shell commands for generating your IBM Bluemix CSR.

1. Use your terminal client (ssh) to log into your server/workstation.

2. At the prompt, enter the following command:

   Note: Make sure to replace server with the name of your server/workstation.

   openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr

3. You have now started the process for generating the following two files:

   • Private-Key File – For the decryption of your SSL certificate
   • CSR File – For ordering your SSL certificate

4. When prompted for the Common Name (domain name), type the fully qualified domain name (FQDN) for the site that you are going to secure.

5. When prompted, type your organizational information, beginning with your geographic information.

   Note: You may have already set up default information.

6. Open the .csr file that you created with a text editor.

7. Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.

8. Save the (back up) the generated .key file. You need it later when installing your SSL certificate.

9. After you receive your SSL certificate from DigiCert, you can install it.

IBM Bluemix | Using the OpenSSL & Bluemix Console to Install Your SSL Certificate

If you have not yet created a certificate signing request (CSR) and ordered your certificate, see IBM Bluemix | Creating Your CSR with OpenSSL.

After receiving your SSL certificate, you need to copy it to your server/workstation, upload it to your IBM Bluemix account, and then configure your application to use it.

         Copy the SSL Certificate File to Your Server/Workstation

1. Download your Intermediate (DigiCertCA.crt) and Primary Certificate (your_domain_name.crt) files from your DigiCert account, then copy them to the directory on your server/workstation where you will keep your certificate and key files. Make them readable by the root only.

2. Once you have the private key and certificate files, you can upload them to your IBM Bluemix account and configure your application to use them.
   
   Upload the SSL Certificate to Your IBM Bluemix Account

3. In a browser, open and log into the IBM Bluemix account.

4. On the Dashboard, select the application you want the SSL certificate to secure.
   
   

   
   

5. On the app Overview page, next to View app, click the down arrow and select Manage domains.

   

6. On the Manage Organizations page, on the Domains tab, to the right of the application in the SSL Certificate column, click the upload symbol.

   

7. In the Upload Certificate window, do the following:

   Certificate:	Click Browse. Then locate and select your server certificate .crt file (e.g., star_digicert_support.crt).
   Private Key:	Click Browse. Then locate and select your private key .key file (e.g., star_digicert_support.key).
   Intermediate Certificate:	Click Browse. Then, locate and select the intermediate certificate .crt file (e.g., DigiCertCA.crt).

   

8. When you are finished, click Upload.
   
   Configure Your Application to Use the SSL Certificate

9. Within the Manage Organizations section, on the Add Domain page, to the right of the application in the SSL Certificate column, you should see a green certificate symbol.

   Note: After you upload your certificate, it may take some time to propagate the certificate chain to the apps.

   

10. Click the green certificate symbol to view the uploaded certificate.

    

11. To verify that your application is using your SSL certificate, do the following:

    1. Navigate to the application Dashboard.

       

    2. On the Dashboard, select the application that you secured with the SSL certificate.
       
       

       
       

    3. On the app Overview page, next to View app, click the down arrow and select Edit routes.

       

    4. In the Edit routes window, to the right of the application you just secured, click the green lock to verify that the route has been secured.

12. As a final check, open your application in a browser and the address bar. Click on the green lock to the left of the URL and view the certificate details.

    Note: After you upload your certificate, it may take some time to propagate the certificate chain to the apps.

    

13. Congratulations! You have successfully installed your application's SSL certificate.