Creating a Certificate Signing Request

If you are looking to offer SSL web services from your IBM i, you will need a server certificate to authenticate the connection. In order to receive a certificate from a recognized Certificate Authority - like VeriSign or LetsEncrypt - you’ll need to submit a Certificate Signing Request.

The first step is to log into DCM:

Once in the DCM interface, click the button to Select a Certificate Store and choose the *SYSTEM store:

With the *SYSTEM store selected, click the link in the left-hand menu to Create Certificate:

We’ll be creating a server certificate - select the option for a Server or client certificate:

We want a third-party Certificate Authority to sign this certificate - select the option for VeriSign or other Internet Certificate Authority (CA):

This is the Certificate Signing Request form. Choose the key algorithm and key size recommended by your chosen Certificate Authority. Give the certificate a recognizable label. The certificate common name must match the exact host or domain name for your web site or service - for example, if your web service is hosted at www.example.com, you must enter www.example.com in the “Common name” field.

After submitting the Certificate Signing Request form, you’ll be presented with the Certificate Request. You must copy and save this data - you will not be able to retrieve this data after leaving this page. Copy this text - including the BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST lines - to a file and save it to your computer. You will need to provide this data to your chosen Certificate Authority when requesting your server certificate.