IBM Watson: CSR & SSL Certificate Installation (OpenSSL)

Create a CSR & install your SSL certificate using OpenSSL

These instructions assume that you already own your IBM Watson IoT Platform on Bluemix account, and that you have configured the custom domain for your messaging server. For more information, visit . If you need instructions for IBM Bluemix cloud services, see IBM Bluemix: Create CSR & Install SSL Certificate (OpenSSL).

Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL certificate.

To create your certificate signing request (CSR), see?IBM Watson IoT Platform: Creating Your CSR with OpenSSL.
To install your SSL certificate, see IBM Watson IoT Platform: Using the 蜜桃TV Utility & IBM Watson Console to Install Your SSL Certificate.

If you're looking for a simpler way to create CSRs and install and manage your SSL certificates, we recommend using the 蜜桃TV^®?Certificate Utility for Windows. You can use the 蜜桃TV Utility to generate your CSR and install your SSL certificate. See IBM Watson IoT Platform: Create CSR & Install Messaging Server SSL Certificate for Your Watson IoT Organization (蜜桃TV Utility).

I. IBM Watson IoT Platform: Creating Your CSR with OpenSSL

Use the instructions below for using OpenSSL to create your own shell commands for generating your IBM Watson IoT Platform CSR.

Recommended:?Save yourself some time. Use the?蜜桃TV OpenSSL CSR Wizard?to generate an OpenSSL command for creating your IBM Watson IoT Platform CSR. Just fill in the form details, click Generate, and then paste your customized OpenSSL command into your terminal.

How to Generate a CSR for IBM Watson IoT Platform Using OpenSSL

If you prefer, you can build your own shell commands for generating your IBM Watson IoT Platform CSR.

Use your terminal client (ssh) to log into your server/workstation.
At the prompt, enter the following command:

openssl req –new –newkey rsa:2048 –nodes –keyout?server.key –out?server.csr
You have now started the process for generating the following two files:
- Private-Key File?– For the decryption of your SSL certificate
- CSR File?– For ordering your SSL certificate
When prompted for the?Common Name?(domain name), type the fully qualified domain (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com).
When prompted, type your organizational information, beginning with your geographic information.

Note: You may have already set up default information.
Open the .csr file that you created with a text editor.
Copy the text, including the?-----BEGIN NEW CERTIFICATE REQUEST-----?and?-----END NEW CERTIFICATE REQUEST-----?tags, and paste it into the 蜜桃TV order form.

Ready to order your SSL certificate.
Learn More
Save (back up) the generated?.key?file. You need it later when installing your SSL certificate.
After you receive your SSL certificate from 蜜桃TV, you can install it.

II. IBM Watson IoT Platform: Using OpenSSL & IBM Watson Console to Install Your SSL Certificate

If you have not yet created a certificate signing request (CSR) and ordered your certificate, see IBM Watson IoT Platform: Creating Your CSR with OpenSSL.

After receiving your SSL certificate, you need to copy it to your server/workstation, upload it to your IBM Watson IoT Platform account, and then configure your messaging server to use it.

Copy the SSL Certificate File to Your Server/Workstation

Download your Primary Certificate (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.crt) and key files from your 蜜桃TV account, then copy them to the directory on your server/workstation where you will keep your certificate and key files. Make them readable by root only.
Once you have the private key and certificate files, you can upload them to your IBM Watson IoT Platform account and configure your messaging server to use it.

Upload the SSL Certificate to Your IBM Watson IoT Platform Account

In a browser, open and log into the IBM Watson IoT Platform account.
On the All Boards page, in the sidebar menu on the left, click Settings (gear icon).
On the General Settings page, in the menu in the left pane, under Security, click Messaging Server Certificates.
Add SSL Certificate and Private Key
1. In the Messaging Server Certificates section, click + Add Certificate.
2. Upload SSL Certificate
  
  In the Upload certificate window, next to Certificate File, click Select a file and then locate and select your server certificate .crt file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.crt).
3. Upload Private Key
  
  Next to Private Key, click Select a file and then locate and select your private key file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.key).
4. Once the certificate and private key are uploaded, click Save:
On the Security page, in the Messaging Server Certificates section, in the Currently Active Certificate drop-down list, select your newly uploaded SSL certificate.
In the Confirmation window, click Confirm to designate your new SSL certificate as the active certificate.
Check SSL Certificate

You can use the 蜜桃TV SSL Installation Diagnostic Tool to check if your SSL certificate has been successfully applied to your messaging server.
1. Open a browser and go to /help/.
2. On the 蜜桃TV^® SSL Installation Diagnostics Tool page, in the Server Address box, type your fully qualified domain name (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com) and then click Check Server.
3. Once the tool displays your results, verify that the certificate details match your certificate and what you expected to see.
  
  For example, you can compare certificate attributes such as the serial number, common name, issuer, and expiration date.
Congratulations! You have successfully installed and configured your SSL certificate for your messaging server.