IBM – HTTP Server


To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and a replacement has to be made.

Generate a Key Pair and CSR
NOTE: A key length of 1024 bit is the default, but Geotrust recommends the use of a 2048 bit key.
If the request is intended for an Extended Validation certificate or a certificate with a validity period beyondDecember 31, 2013, the 2048 bit key length will need to be selected.
Step 1: Generate a keypair

Note: For Extended Validation certificates the key bit length must be 2048.

Use the utility “openssl” to generate the key and CSR.

1. This utility comes with the OpenSSL package. You usually install it under /usr/local/ssl/bin. (If you have installed openssl elsewhere you will need to adjust these instructions appropriately)

2. Generate a private key using the following command:

openssl genrsa -des3 2048 > Geotrust.key

Note: To create a private key that is not encrypted with a passphrase, simply remove -des3 from the command

Step 2: Generate a Certificate Signing Request (CSR)

1. Change directory to your SSL Certificate directory: cd /usr/local/ssl/crt

2. Generate a CSR using the following command:
    openssl req -new -key ./Geotrust.key > Geotrust.csr
You have just created a key pair and a CSR.

3 . To copy and paste the information into the enrollment form, open the file Geotrust.csr in a text editor that does not add extra characters (Notepad or vi are recommended).

4 . Paste the information into the enrollment form when prompted for the CSR.


To generate the key and CSR for IBM through IKEYMAN please follow the instructions below:

First, a Key Database File(.kdb) using IKEYMAN needs to be generated. Please follow these steps :

1. Open the IKEYMAN Utility (From Windows NT click Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
2. From the Menu Bar select “Key Database File
3. Click on NEW
4. File Name= (The name of new Key Database file)
5. Location= (The location on the harddrive where the .kdb file will be stored)
6. After saving the file to the location specified, a password must be entered
Note: This is the password that will be used to open the .kdb file in IKEYMAN in the future

7. Make sure to click the box that states “Stash the password to a file?”
Note: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.
8. Click OK

Generating the CSR

1. Open the Key Database File(.kdb) using the IKEYMAN utility
2. In the middle of the IKEYMAN GUI, there will be a section called “Key database content
3. Click on the “down arrow” to the right, to display a list of three choices
4. Select “Personal Certificate Requests
5. Key Label= (Name used to identify certificate in IKEYMAN)
Note: Using the SiteName (ex. as the label is a good practice

6. Key Size= (2048)
7. Common Name= (SiteName, ex.
8. Organization= (Company Name)
9. Enter the name of a file in which to store the certificate request
*Saving this file(.arm) in the same directory as the (.kdb) file is recommended.
10. Once the (.arm) file is saved, this completes the CSR generation process

For more information please refer to the IBM technical support link below:

For more information on IKEYMAN please refer to the link below:

 Posted by at 13:05