Thursday, 7 January 2016

CTGSK3039W Certificate request “ibmbpm.uk.ibm.com" could not be created.

I saw this earlier: -

CTGSK3039W Certificate request "ibmbpm.uk.ibm.com" could not be created.

when attempting to create a Certificate Request using the IBM Global Security Toolkit (GSK): -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file / home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "ibmbpm.uk.ibm.com"

which took me a wee while to resolve.

Can you see what I did wrong ?

It took me a while - I had to compare my request with an existing certificate before I realised …..

I'd specified a Distinguished Name of: -

"CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK"

which breaks the X.500 standard i.e. I should have specified ST=Hampshire rather than S=Hampshire.

Thus it was a typo :-)

Once I changed my request: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,ST=Hampshire,C=UK" -file / home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname "ibmbpm.uk.ibm.com"

it worked like a dream / charm / treat.

For the record, here's the relevant excerpt from the appropriate RFC 2253: -



2 comments:

Dovid said...

Aren't the O and OU reversed in your example?

Dave Hay said...

Ooops, yes, well spotted - you're quite right; it should've read: -

"CN=ibmbpm.uk.ibm.com,OU=middleware,O=IBM,L=Hursley,ST=Hampshire,C=UK"

Thanks for the assist :-)