Generate and install an SSL Certificate on TPMfOSd server in FIPS mode



The procedure is intended to provide more instructions on how to generate and install an SSL certificate after that the GSKIT has been enabled on TPMfOSD for FIPS compliance.


Procedure summary:
1. Generate a Certificate Signing Request (CSR) that is sent to the Certificate
Authority (CA), who then returns a signed certificate used by the TPMfOSD Web
server to identify itself to the client's browser.

2. Install the certificate on the TPMfOSD Web server.

1. Generating a Certificate Signing Request (CSR)

To acquire a certificate from a Certificate Authority (CA), you must first
submit a Certificate Signing Request (CSR).
The IBM Java Runtime Environment has an application that can generate
certificate requests. This tool is called iKeyman. iKeyman is a servlet that
collects information from your system and generates a private key file and a
certificate request file. The servlet lets you submit the CSR file to a CA
(such as VeriSign) for signing.
The following procedures describe how to generate a CSR:
1. Start the key management utility iKeyman.
Find and execute gsk7ikm in the ../gsk7 directory.
2. Create a keyfile or open an existing key database file.
3. Select the Signer Certificates or Personal Certificates menu and click
Personal Certificate Requests.
4. Click New.
5. Complete the following fields:
Key Label
Common Name
File Name
6. Click OK.
A dialog window appears stating that the certificate request is generated and
stored in the previous specified file.
7. Click OK.
The dialog window closes.
8. Exit iKeyman.
9. Submit the certificate request to the appropriate CA.
2. Installing the Signed Certificate

The discussion in this section assumes you have received a signed certificate
from the Certificate Authority. Additionally, you have saved this certificate
file in a temporary directory.
The following procedures describe how to install a certificate using ikeyman

1. Start the key management utility iKeyman.
2. Open the database file used to create the certificate request.
3. Click the Personal Certificate Requests menu and click Personal
4. Click Receive.
5. Click Data Type and select the data type of the digital certificate.
For ASCII-formatted certificates, select the "Base64-encoded ASCII Data" data
For binary-formatted certificates, select the "Binary DER Data" data type.
6. Specify the temporary directory location and file name of the certificate.
7. Click OK.
8. Type the label of the new digital certificate and click OK.
iKeyman saves the certificate in the key database file and the certificate is
listed in the Personal Certificates list.
9. Exit iKeyman.
If the Web server uses a self-signed certificate instead of a certificate
issued by a CA such as VeriSign, then the client browser prompts the user to
decide whether to trust the unknown signer of the server's certificate.

Rate this page:

(0 users)Average rating

Add comments

Document information

More support for:

Tivoli Provisioning Manager for OS Deployment

Software version:


Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:


Modified date:


Translate my page

Machine Translation

Content navigation