Create a self-signed certificate

This option creates a self-signed certificate using either RSA, DSA, or ECC encryption for the public and private keys, and a certificate signature that is based on a SHA digest algorithm. The SHA digest algorithm that is used depends on the key algorithm that is chosen for the certificate:

If an RSA certificate is requested, the user is prompted to choose the SHA digest algorithm required.
An ECC certificate uses the suggested digest for the key size of the ECC key, as specified in Table 1.
A 1024-bit DSA certificate uses SHA-1. For a 2048-bit DSA certificate, the user is prompted to choose the SHA digest algorithm required.

Possible signature algorithms are:

x509_alg_sha1WithRsaEncryption
x509_alg_sha224WithRsaEncryption
x509_alg_sha256WithRsaEncryption
x509_alg_sha384WithRsaEncryption
x509_alg_sha512WithRsaEncryption
x509_alg_dsaWithSha1
x509_alg_dsaWithSha224
x509_alg_dsaWithSha256
x509_alg_ecdsaWithSha256
x509_alg_ecdsaWithSha384
x509_alg_ecdsaWithSha512

The certificate can be created for use by a certification authority or an end user. A CA certificate can be used to sign other certificates and certificate revocation lists while an end user certificate can be used for authentication, digital signatures, and data encryption.

For key databases:: The label has a maximum length of 127 characters and is used to reference the certificate in the request database. The label is also used when the certificate is received, so it must be unique in both the request and key databases. It must consist of characters that can be represented as 7-bit ASCII characters (letters, numbers, and punctuation) in the ISO8859-1 code page.
For tokens:: The label has a maximum length of 32 characters and is used to reference the certificate request. The label is also used when the certificate is received, so it must be unique in the token. It must consist of characters that can be represented in the IBM1047 code page.

The number of days until the certificate expires must be between 1 and 9999.

The subject name and one or more subject alternate names can be specified for the new certificate. The subject name is always an X.500 directory name while a subject alternate name can be an X.500 directory name, a domain name, an email address, an IP address, or a uniform resource identifier. An X.500 directory name consists of common name, organization, and country attributes with optional organizational unit, city/locality, and state/province attributes. A domain name is one or more tokens separated by periods. An email address consists of a user name and a domain name that is separated by '@'. An IP address is an IPv4 address (nnn.nnn.nnn.nnn) or an IPv6 address (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn). A uniform resource identifier consists of a scheme name, a domain name, and a scheme-specific portion (for example:

http://www.endicott.ibm.com/main.html

Note: A self-signed end-entity certificate (server or client certificate) is not suggested for use in production environments and should only be used to facilitate test environments before production. Self-signed certificates do not imply any level of security or authenticity of the certificate because, as their name implies, they are signed by the same key that is contained in the certificate. However, certificates that are signed by a certificate authority indicate that, at least at the time of signature, the certificate authority approved the information that is contained in the certificate.