IBM Websphere

Creating a keystore

On the IBM WebSphere server, you are required to create a keystore prior to generating private keys and certificate signing requests. You can create the keystore with the Oracle keytool or with the ikeyman tool from IBM. We will utilize the ikeyman method for this documentation.

First, start the ikeyman tool. Run the following command:

# ./

The IBM Key Management interface will start after running the command. From the "Key Database File" menu, choose the "New" option. In the next dialog box, choose the following options:

  • Key database type: Choose JKS.
  • File name: Your keystore name. We will use .keystore for this example.
  • Location: Your keystore location. We will use /usr/bin/java/websphere/bin/ for this example.
  • Press "OK" when you are finished.

Creating the CSR

The next screen will ask for your company information to be included on the CSR. For the key label, choose a name for your key. We recommend using a name similar to your hostname so that you can keep your keys separated. Be sure to choose 2048 bits or higher for the key size.

Now, the Key Manager will ask for your company information. As you complete these steps, please keep the following in mind:

Certificate Information Guidelines

Location - Enter the location where your business operates, not where your server is located. If you are an international customer in a country without a State/Province or City/Locality, leave those fields blank.

  • Country Name - Enter the two letter International Organization for Standardization (ISO) abbreviation of the country where your organization is legally located.
  • State/Province - Spell out the entire name of your state or province. For example, if your business operates in Texas, enter "Texas" and not "TX".
  • City/Locality - Spell out the entire name of your city or locality.

Organization - Enter the full, unabbreviated legal name of your business. Include any applicable suffix, such as "Inc" or "LLC". If your company name is registered in an abbreviated form, then you may use that abbreviation if you want.

Organizational Unit - This field will not be included in your certificate, so you can leave it blank.

Common Name - Enter the web address of your site. It must be a fully qualified domain name. Both and are acceptable. Do not include http:// or https://. When ordering a wildcard Server Certificate, you will use *

Email Address - Enter the address of the person responsible for digital certificates in your organization. This field is optional.

After you enter your company information, you will need to specify a file in which to store your CSR. Use the same directory as your keystore. For this example, we will call the CSR certreq.arm.

When you are finished, click "OK".

Protect your new private key for a digital certificate

  1. Never give this file to anyone outside your company. Also restrict the access to it to the smallest possible group of employees.
  2. When you get your certificate, you must install this private key in a secure folder that has limited access to a root user and is protected with read-only permission.
  3. Backup your private key. There is no way to recover it if it is lost. Protect that backup with additional security such as an encrypted or password-protected backup. Your private key is integral to the digital certificate process.
  4. If you suspect that your private key is compromised, alert VikingCloud™ immediately. VikingCloud will revoke your certificate so that you can generate a new private key and CSR. You can then submit the new CSR for VikingCloud to reissue your certificate.

The Key Management tool should now display an information window alerting you that your CSR has been created and stored in a file. Note the location of the file and click "OK".

Submit the CSR to VikingCloud

Now navigate to the location of your saved CSR and open it with a suitable text editor such as Notepad, TextEdit, or vi. Copy the entire text - including the top and bottom dashed lines. You can paste this text directly into the VikingCloud Control Center - Submit your CSR to proceed to validation.