CTGSK3039W Certificate request "ibmbpm.uk.ibm.com" could not be created.
when attempting to create a Certificate Request using the IBM Global Security Toolkit (GSK): -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file / home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "ibmbpm.uk.ibm.com"
which took me a wee while to resolve.
Can you see what I did wrong ?
It took me a while - I had to compare my request with an existing certificate before I realised …..
I'd specified a Distinguished Name of: -
"CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK"
which breaks the X.500 standard i.e. I should have specified ST=Hampshire rather than S=Hampshire.
Thus it was a typo :-)
Once I changed my request: -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,ST=Hampshire,C=UK" -file / home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "ibmbpm.uk.ibm.com"
it worked like a dream / charm / treat.
For the record, here's the relevant excerpt from the appropriate RFC 2253: -
2 comments:
Aren't the O and OU reversed in your example?
Ooops, yes, well spotted - you're quite right; it should've read: -
"CN=ibmbpm.uk.ibm.com,OU=middleware,O=IBM,L=Hursley,ST=Hampshire,C=UK"
Thanks for the assist :-)
Post a Comment