Create a Self-Signed Certificate with OpenSSL on IBM i
How to Install an SSL Certificate on IBM i
Installing SSL certificates on IBM i can be done effectively using OpenSSL. In this guide, we will walk through generating a private key, creating a certificate signing request (CSR), generating a self-signed certificate, and converting it to PKCS12 format if needed.
Prerequisites:
- OpenSSL installed on your IBM i system.
- Access to QP2TERM (PASE for i).
Step 1: Access IBM i PASE (QP2TERM)
To begin, you need to access the QP2TERM terminal, which allows you to execute OpenSSL commands on IBM i. Use the following command to launch the terminal:
CALL QP2TERM
Step 2: Generate a Private Key and CSR (Certificate Signing Request)
To create a new private key and a CSR, you can use either of the following approaches:
Option 1: Generating a Key and Self-Signed Certificate in One Step
Use this OpenSSL command to generate a private key and a self-signed certificate in one step:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Option 2: Separate Key and CSR Generation
Alternatively, you can generate the private key and CSR in separate steps:
- Generate a private key (password protected):
openssl genrsa -des3 -out server.key 1024
- Generate a CSR:
openssl req -new -key server.key -out server.csr
Optional: Remove the password from the private key:
- Make a backup of the original private key:
cp server.key server.key.org
- Remove the password:
openssl rsa -in server.key.org -out server.key
Step 3: Generate a Self-Signed Certificate
Once the private key and CSR are generated, use them to create a self-signed SSL certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Step 4: Convert to PKCS12 Format (Optional)
If needed, you can convert the generated certificate and key into a PKCS12 format (.pfx
):
openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt
Step 5: Use the SSL Certificate on IBM i
After generating the certificate, import it into your IBM i server’s digital certificate manager (DCM) or use it in your web server or other applications.
Reference
For additional details, visit IBM’s support page on creating self-signed certificates using OpenSSL.