Use Digital Certificate Manager (DCM) in IBM’s Navigator for i (Nav) to create a new self-signed digital certificate on your IBM i server. This process includes creating a new application within DCM and assigning the certificate to the application.
- Start up Navigator for i
- Sign on using a user profile with *SECOFR authority
- Select Actions and then Manage Node to open full access to Nav
From the left panel, select as shown here:
- This will display a new signon just for DCM
- Select Open Certificate Store
- Select *SYSTEM
- Use the existing password. If it fails, use the reset feature to set a new password.
- Verify that the application that you are going to use the certificate for exists. If not, you will need to create it.
- Select Manage Application Definitions
- The currently defined applications will be shown. Check to confirm that your application is listed. If it is, then select Manage Certificates and skip the next 5 steps
- To create a new application, select Create
Fill out the following panel as described below:
- At a minimum, you need to create a unique ID field and an application description
- Select Create at the bottom of the form when you are ready
- From the top of the next panel, select Manage Certificates
- To create your new certificate, select Create
Select Local CA
- The fields marked with a red X are required as follows:
- Certificate label: Enter the value you want for this certificate
- Common name: Use the common name for your system. We recommend that this be set based on your system’s host name and domain name separated by a period. You can find these settings by prompting the IBM command CHGTCPDMN
- Organization name: Enter the name of your company or organization
- State or province: Enter the name of the state or province where you are located. Make sure that you enter 3 characters
- Country or region: Enter an abbreviation for your country. Make sure that you use 2 characters.
- Select Create at the bottom of the panel
- Your certificate will be created and a list of all of your certificates will be shown. Locate the new certificate and click on the + in the lower right corner of the box
- Select Assign
- Locate the application that you want to use the certificate for and check the box to the left of it. Press Replace at the bottom of the panel
At this point, your certificate will be working for the application that you have assigned it to.
A note about common names
To determine the correct "Common name" go to a terminal session on your IBM i and go to the IBM menu named CFGTCP (GO CFGTCP). Run option #12 and make a note of the Host Name and Domain Name that are shown. Put these two together to form your common name. For example, if your Host Name is MYHOST and your Domain Name is MYDOMAIN.COM, then your common name will be MYHOST.MYDOMAIN.COM. Then, make sure that you can PING this name from the command line in your terminal session. It should return the IP address of your IBM i system. If not, then you will have to use menu option #10 on the CFGTCP menu to create a valid entry for your common name that points to the IP address of your IBM i system.