I am trying to generate a Certificate Request so that I can get a certificate from my Certificate Authority. According to Page 7 of the Remote Control Administrator’s Guide you launch ikeyman.bat and open the key.p12 file located at
installdir
\PROFILES\TRCPROFILE\config\cells\defaultNode\nodes\defaultNode the problem is that with version 9 of Remote Control there is no longer a PROFILES directory. And I can’t locate any P12 files on the system. Is this just a section that didn’t go through QA? Has anyone been able to generate a Certificate Request on version 9?
I was able to find a key.jks file which is the default file type for ikeyman.bat and located at
installdir
\wlp\usr\servers\trcserver\resources\security\ but the default password doesn’t unlock the file.
Apologies for the problem with the documentation, we’ll review it and make sure if reflects the changes for v9.
To answer your question, there is a reference to the keystore in the file memory.xml, by default available at installdir\wlp\usr\servers\trcserver\memory.xml. In that configuration tag you can find the default password for the keystore. Note that if you change the keystore password you’d need to modify the value of this configuration setting to reflect the password you set, so the application server can access the certificate stored within.
You can also check the section “Keystore Configuration” at
I was able to access the Keystore password and get into the keystore and generate the Certificate Request but my CA is saying that it produced an error. The errors are typically due to key size or RSA. Our Certificates are signed using SHA256RSA and are 2048 Bits. When I generated the CSR I selected a key size of 2048 and Signature Algorithm of SHA2WithRSA.
Something you can try is to use openssl to check the CSR file and see if it can read it with a command like the following:
openssl req -in certreq.arm -noout -text
I have tried generating a CSR with the version of ikeyman included with the RC server (at INSTALL_DIR\java\jre\bin) and doing roughly as documented in this technote about how to use ikeyman to generate CSRs ( http://www-01.ibm.com/support/docview.wss?uid=swg21006430
) and the CSR seems well formatted and the output from this command shows it’s signed with RSA with a 2048 bits key:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=myhostname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
<...>
If your CSR can’t be read by openssl, we can hopefully see the error and get a better idea of what is the problem.
I ended up recreating the CSR exactly the same way that I did before but this time our CA was able to use it and generate the SSL certificate for us. I was able to load it into the application and it is working. Unfortunatly because of the upgrade to the forums I am unable to mark this as answered because it is now owned by SystemAdmin.