Category Archives: SSL

Create a Self-Signed Certificate with OpenSSL on IBM i

How to Install an SSL Certificate on IBM i

Installing SSL certificates on IBM i can be done effectively using OpenSSL. In this guide, we will walk through generating a private key, creating a certificate signing request (CSR), generating a self-signed certificate, and converting it to PKCS12 format if needed.

Prerequisites:

  • OpenSSL installed on your IBM i system.
  • Access to QP2TERM (PASE for i).

Step 1: Access IBM i PASE (QP2TERM)

To begin, you need to access the QP2TERM terminal, which allows you to execute OpenSSL commands on IBM i. Use the following command to launch the terminal:

 

CALL QP2TERM

Step 2: Generate a Private Key and CSR (Certificate Signing Request)

To create a new private key and a CSR, you can use either of the following approaches:

Option 1: Generating a Key and Self-Signed Certificate in One Step

Use this OpenSSL command to generate a private key and a self-signed certificate in one step:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Option 2: Separate Key and CSR Generation

Alternatively, you can generate the private key and CSR in separate steps:

  • Generate a private key (password protected):
openssl genrsa -des3 -out server.key 1024
  • Generate a CSR:
openssl req -new -key server.key -out server.csr

Optional: Remove the password from the private key:

  • Make a backup of the original private key:
cp server.key server.key.org
  • Remove the password:
openssl rsa -in server.key.org -out server.key

Step 3: Generate a Self-Signed Certificate

Once the private key and CSR are generated, use them to create a self-signed SSL certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 4: Convert to PKCS12 Format (Optional)

If needed, you can convert the generated certificate and key into a PKCS12 format (.pfx):

openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt

Step 5: Use the SSL Certificate on IBM i

After generating the certificate, import it into your IBM i server’s digital certificate manager (DCM) or use it in your web server or other applications.

Reference

For additional details, visit IBM’s support page on creating self-signed certificates using OpenSSL.

No Comments IBM i, Open Source, SSL