Creating a self signed certificate

Read this page to learn the procedure to renew or generate self-signed certificates.

About this task

To generate the certificate for a broker you can use the IBM Key Management tool. This tool is provided with the Remote Control application and with IBM WebSphere Application Server.


  1. Open a command prompt window.
  2. Go to the Remote Control Server installation directory.
  3. Change to the [installdir]\java\jre\bin subdirectory on a Windows™ system or the [installdir]/java/jre/bin subdirectory on a Linux™ system.
  4. Run on a Linux™ system or ikeyman.exe on a Windows™ system.
  5. Select Key Database File > New
  6. Select the database type. (Use PKCS12 for Broker Certificate. Use PKCS12 or JKS for the Server certificate)
  7. Click Browse, navigate to the location you want to store the keystore, type a filename for your file and click Save.
  8. Click OK.
  9. Enter and confirm a password to protect the keystore and click OK.
  10. Select Create > New Self-Signed Certificate
  11. Enter a name for the Key Label.
    For example, the hostname of the broker.
    This is the name that will be displayed in the Personal Certificates list in the key management tool GUI.
  12. Select X509 V3 for the Version.
  13. Select a Key Size value.
    Recommended value is 2048.
  14. Select a Signature Algorithm
    This is a cryptographic algorithm for digital signatures and should be left as the default value SHA256WithRSA.
  15. Type a Common Name .
    Set to the DNS host name and domain of your broker.
    For example
  16. Type the Subject Alternate Name.
    Most recent browsers use the Subject Alternate Name to validate the certificate in place of (or in addition to) the Common Name. Make sure you provide a matching subject alternate name. For example
    Note: Java based certificate tools (like ikeyman) do not support Subject Alternate Names with domain names that start with a number. For example, In this case you need to use OpenSSL or another external tool to create the certificate.
  17. Enter any additional optional information as required.
  18. Enter a Validity Period.
    This is the number of days that the certificate will be valid for. Default is 365 days.
  19. Click OK.
    Self-signed certificate
    If you plan to use the self-signed certificate, you need to extract the certificate at this point by performing the following steps. You can then copy and paste the content of this file where applicable.
    1. Click Extract Certificate.
    2. Use the default Data type Base64-encoded ASCII data.
    3. Enter a file name and location for saving the certificate file to.
    4. Click OK.
    CA-Signed certificate
    If you plan to use CA Signed certificate, you need to create the CSR at this point performing the following steps.
    1. Create a Certificate Signing Request
      1. Select Recrate Request
      2. Indicate the location where to save the certreq.arm file
      3. Press OK.
      A certreq.arm file is generated and saved to the location specified. This file must be sent to the certificate authority to be signed.

      For more information to complete the CA singing process, see Creating Certificate Authority signed certificates.


The .p12 (or .jks) file is created with the name and selected location chosen.
Note: The key store contains the private key for the certificate and this must be kept secure at all times. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a secure backup of the original keystore is also recommended.