Creating a Certificate Signing Request

If you are looking to offer SSL web services from your IBM i, you will need a server certificate to authenticate the connection. In order to receive a certificate from a recognized Certificate Authority - like VeriSign or LetsEncrypt - you’ll need to submit a Certificate Signing Request.

This guide shows the process using the new DCM interface. For instructions using heritage DCM, click here.

Accessing DCM

To begin, verify that the *ADMIN HTTP server job is running with the following command:

WRKSBSJOB SBS(QHTTPSVR)

If you don’t see *ADMIN in the list, please run the following command to start it:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

After you’ve ensured that the *ADMIN server is running, open a web browser, and go to http://YourIBMIPAddress:2006/dcm/ - you should see a login page as seen below:

DCM Login

You will want to log in to DCM using a profile with elevated permissions.

Open the *SYSTEM certificate store by first clicking on the “Open Certificate Store” link under the Actions header, then select *SYSTEM:

*SYSTEM Store

Enter your *SYSTEM store password when prompted and click “open”.

Create the Certificate Signing Request

Under the “Certificates” heading on the main page, click “Create”:

Create Certificate

Select “Local CA” if you intend to create a self-signed cert. For our purposes, we’ll click “Internet CA” to create a certificate signed by a Certificate Authority:

Create Internet CA

On the form that appears, populate the required fields and any additional fields as needed by your organization. When complete, click the “Create” link at the bottom:

Internet CA Form

On the next page, you’ll see the generated CSR - a Base64-encoded character string inside boundaries (denoted by -----):

Generated CSR

Copy the entire text and save it somewhere memorable on your computer. DO NOT EXIT THE PAGE UNTIL YOU HAVE THIS SAVED. Once you leave the page, the CSR data cannot be recovered.