Create a CSR & install your SSL certificate using the ÃÛÌÒTV® Certificate Utility for Windows
These instructions assume that you already own your IBM Watson IoT Platform on Bluemix account, and that you have configured the custom domain for your messaging server. For more information, visit . If you need instructions for IBM Bluemix cloud services, see IBM Bluemix: Create CSR & Install SSL Certificate (ÃÛÌÒTV Utility).
Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL certificate.
For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL certificates, we recommend that you use the ÃÛÌÒTV® Certificate Utility for Windows. For more information about our utility, see?ÃÛÌÒTV® Certificate Utility for Windows.
-
To create your certificate signing request (CSR), see?IBM Watson IoT Platform: Creating Your CSR with the ÃÛÌÒTV Utility.
-
To install your SSL certificate, see IBM Watson IoT Platform: Using the ÃÛÌÒTV Utility & IBM Watson Console to Install Your SSL Certificate.
If you do not have access to a Microsoft server or workstation, prefer not to use the ÃÛÌÒTV Utility, or for some reason cannot use the utility, see?IBM Watson IoT Platform: Create CSR & Install Messaging Server SSL Certificate for Your Watson IoT Organization (OpenSSL).
I. IBM Watson IoT Platform: Creating Your CSR with the ÃÛÌÒTV Utility
The ÃÛÌÒTV® Certificate Utility for Windows streamlines the CSR creation process enabling you to generate the CSR with just one click.
How to Create Your CSR with the ÃÛÌÒTV Utility
-
On your Windows workstation, download and save the?ÃÛÌÒTV® Certificate Utility for Windows executable (ÃÛÌÒTVUtil.exe).
-
Run the ÃÛÌÒTV Certificate Utility.
Double-click?ÃÛÌÒTVUtil.
-
In the?ÃÛÌÒTV Certificate Utility for Windows©, click?SSL?(gold lock), and then, click?Create CSR.
-
On the Create CSR?page, enter the following information:
Certificate Type: Select SSL. Common Name: Enter the fully qualified domain name (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com). Subject Alternative Names: N/A (Multi-domain certificates are not supported yet.) Organization: Type your company's legally registered name (e.g., YourCompany, Inc.). Department: (Optional) Enter the department within your organization that you want to appear on the SSL certificate. City: Type the city where your company is legally located. State: In the drop-down list, select the state where your company is legally located. If your company is located outside the USA, you can type the applicable name in the box. Country: In the drop-down list, select the country where your company is legally located. Key Size: In the drop-down list, select 2048. Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, unless you have a specific cryptographic provider. -
Click?Generate.
-
On?The certificate request has been successfully created?page, do one of the following, and then, click?Close:
Click Copy CSR. Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it. Click Save to File. Saves the CSR as a .txt file to the Windows workstation. We recommend that you use this option. -
Use a text editor (such as Notepad) to open the file. Then, copy the text, including the?-----BEGIN NEW CERTIFICATE REQUEST-----?and?-----END NEW CERTIFICATE REQUEST-----?tags, and paste it into the ÃÛÌÒTV order form.
Ready to Order Your SSL Certificate
Learn More -
After you receive your SSL certificate from ÃÛÌÒTV, you can install it.
II. IBM Watson IoT Platform: Using the ÃÛÌÒTV Utility & IBM Watson Console to Install Your SSL Certificate
If you have not yet used the ÃÛÌÒTV® Certificate Utility for Windows to create a CSR and ordered your certificate, see IBM Watson IoT Platform: Creating Your CSR with the ÃÛÌÒTV Utility.
After receiving your SSL certificate, you need upload it to your IBM Watson IoT Platform account and configure your messaging server to use it.
To install your IBM Watson Platform messaging server SSL certificate, complete the steps below.
-
Import your SSL certificate to your Windows workstation using the ÃÛÌÒTV® Certificate Utility for Windows.
How to Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
-
Export the SSL certificate in Apache compatible format (separate .key and .crt files) using the ÃÛÌÒTV® Certificate Utility for Windows.
How to Export Your SSL Certificate in Apache Compatible Format Using the ÃÛÌÒTV Certificate Utility
-
Upload and implement your messaging server SSL certificate using the IBM Watson IoT Platform Management Console.
i. How to Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
After we validate and issue your SSL certificate, you can use the ÃÛÌÒTV® Certificate Utility for Windows to import the file to your Windows workstation.
-
On the Windows workstation where you created the CSR, save the SSL certificate .cer file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.cer) that ÃÛÌÒTV sent to you.
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock) and then click Import.
-
In the Certificate Import window, under?File Name, click?Browse?to browse to the .cer (e.g.,?<org_id>_messaging_internetofthings_ibmcloud_com.cer) certificate file that ÃÛÌÒTV sent you, select the file, click?Open, and then click?Next.
-
In the?Enter a new friendly name or you can accept the default?box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example:?yoursite-ÃÛÌÒTV-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To Import the SSL certificate to your Windows workstation, click Finish.
You should receive a message that the certificate was successfully imported.
-
You should now see your SSL certificate in the?ÃÛÌÒTV Certificate Utility for Windowsc©, under?SSL Certificates.
ii. How to Export Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
To make an SSL connection, your server needs two parts, a private key file and the certificate file. Apache (and many other server types) separate these two certificate parts into separate?.key?and?.crt?files.
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click?ÃÛÌÒTVUtil.
-
In?ÃÛÌÒTV Certificate Utility for Windows©, click?SSL?(gold lock), select the SSL certificate you want to export, and then click?Export Certificate.
-
In the?Certificate Export?wizard, select?Yes, export the private key, select?key file (Apache compatible format), and then click?Next.
-
In the?File name?box, click?¡?to browse for and select the location and file name where you want to save the certificate .key file, and then click?Finish.
This creates the following file. You will need to upload the private key and server certificate to your account using your Watson IoT Platform?Management Console.
- Private Key:?<org_id>_messaging_internetofthings_ibmcloud_com.key
- Server Certificate: <org_id>_messaging_internetofthings_ibmcloud_com.crt
-
After you receive the "Your certificate and key have been successfully exported" message, click?OK.
iii. IBM Watson IoT Platform: Installing Your SSL Certificate
Once you have the private key and certificate files, you can upload them to your IBM Watson IoT Platform account and configure your messaging server to use the SSL certificate.
-
In a browser, open and log into the IBM Watson IoT Platform account.
-
On the All Boards page, in the sidebar menu on the left, click Settings (gear icon).
-
On the General Settings page, in the menu in the left pane, under Security, click Messaging Server Certificates.
-
Add SSL Certificate and Private Key
-
In the Messaging Server Certificates section, click + Add Certificate.
-
Upload SSL Certificate
In the Upload certificate window, next to Certificate File, click Select a file and then locate and select your server certificate .crt file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.crt).
-
Upload Private Key
Next to Private Key, click Select a file and then locate and select your private key file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.key).
-
Once the certificate and private key are uploaded, click Save:
-
-
On the Security page, in the Messaging Server Certificates section, in the Currently Active Certificate drop-down list, select your newly uploaded SSL certificate.
-
In the Confirmation window, click Confirm to designate your new SSL certificate as the active certificate.
-
Check SSL Certificate
You can use the ÃÛÌÒTV SSL Installation Diagnostic Tool to check if your SSL certificate has been successfully applied to your messaging server.
-
Open a browser and go to /help/.
-
On the ÃÛÌÒTV® SSL Installation Diagnostics Tool page, in the Server Address box, type your fully qualified domain name (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com) and then click Check Server.
-
Once the tool displays your results, verify that the certificate details match your certificate and what you expected to see.
For example, you can compare certificate attributes such as the serial number, common name, issuer, and expiration date.
-
-
Congratulations! You have successfully installed and configured your SSL certificate for your messaging server.