Thursday, 7 January 2016

CTGSK3039W Certificate request “" could not be created.

I saw this earlier: -

CTGSK3039W Certificate request "" could not be created.

when attempting to create a Certificate Request using the IBM Global Security Toolkit (GSK): -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label -dn ",O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file / home/wasadmin/ -size 2048 -sigalg SHA256WithRSA -san_dnsname ""

which took me a wee while to resolve.

Can you see what I did wrong ?

It took me a while - I had to compare my request with an existing certificate before I realised …..

I'd specified a Distinguished Name of: -


which breaks the X.500 standard i.e. I should have specified ST=Hampshire rather than S=Hampshire.

Thus it was a typo :-)

Once I changed my request: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label -dn ",O=middleware,OU=IBM,L=Hursley,ST=Hampshire,C=UK" -file / home/wasadmin/ -size 2048 -sigalg SHA256WithRSA -san_dnsname ""

it worked like a dream / charm / treat.

For the record, here's the relevant excerpt from the appropriate RFC 2253: -


Dovid said...

Aren't the O and OU reversed in your example?

Dave Hay said...

Ooops, yes, well spotted - you're quite right; it should've read: -


Thanks for the assist :-)