Overview

Skill Level: Any Skill Level

Use this recipe to create your certificate signing request (CSR) and then to install your SSL certificate to a Bluemix App.

Ingredients

These instructions assume that you already own your IBM Bluemix account, and that you have configured the custom domain for your application. For more information, visit IBM Cloud Bluemix.

For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL certificates, we recommend that you use the DigiCert® Certificate Utility for Windows. For more information about our utility, see DigiCert® Certificate Utility for Windows.

Step-by-step

  1. IBM Bluemix: Creating Your CSR with the DigiCert Utility

    The DigiCert® Certificate Utility for Windows streamlines the CSR creation process. Because, the utility lets you generate the CSR with one click.

    1. On your Windows workstation, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
    2. Run the DigiCert Certificate Utility.
      Double-click DigiCertUtil.
    3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.
      Create CSR
    4. On the Create CSR page, enter the following information:
      • Certificate Type: Select SSL.
      • Common Name: Enter the fully qualified domain name (FQDN) (e.g., www.example.com).
      • Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, type any SANs that you want to include (e.g., www.example.com, www.example2.com, www.example3.com).
      • Organization: Type your company’s legally registered name (e.g., YourCompany, Inc.).
      • Department: (Optional) Enter the department within your organization that you want to appear on the SSL certificate.
      • City: Type the city where your company is legally located.
      • State: In the drop-down list, select the state where your company is legally located.
        If your company is located outside the USA, you can type the applicable name in the box.
      • Country: In the drop-down list, select the country where your company is legally located.
      • Key Size: In the drop-down list, select 2048.
      • Provider: In the drop-down list, select Microsoft RS SChannel Cryptographic Provider, unless you have a specific cryptographic provider.
        CSR Content
    5. Click Generate.
    6. On The certificate request has been successfully created page, do one of the following, and then, click Close:
      • Click Copy CSR: Copies the certificate contents to the clipboard.
      • Click Save to File: Saves the CSR as a .txt file to the Windows server or workstation.
        We recommend that you use this option.
        image006
    7. Use a text editor (such as Notepad) to open the file. Then, copy the text, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and paste it into the DigiCert order form.
    8. After you receive your SSL certificate from DigiCert, you can install it.
  2. IBM Bluemix: Using the DigiCert Utility & Bluemix Console to Install Your SSL Certificate

    If you have not yet used the DigiCert® Certificate Utility for Windows to create a CSR and ordered your certificate, see Step 1

    After receiving your SSL certificate, you need to upload it to your IBM Bluemix account and configure your application to use it.

    I. How to Import Your SSL Certificate Using the DigiCert Certificate Utility

    After we validate and issue your SSL Certificate, you can use the DigiCert® Certificate Utility for Windows to import the file to your Windows machine.

    1. On the server where you created the CSR, save the SSL Certificate .cer file (e.g., your_domain_com.cer) that DigiCert sent to you.
    2. Run the DigiCert® Certificate Utility for Windows.
      Double-click DigiCertUtil.
    3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then click Import.
      Import CSR
    4. In the Certificate Import window, under File Name, click Browse to browse to the certificate file (e.g., your_domain_com.cer) that DigiCert sent you, select the file, click Open, and then, click Next.
      Certificate Import
    5. In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
      We recommend that you add “DigiCert” and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
      Update Name
    6. To Import the SSL Certificate to your server, click Finish.
      You should receive a message that the certificate was successfully imported.
    7. You should now see your SSL Certificate in the DigiCert Certificate Utility for Windows©, under SSL Certificates.

    II. How to Export Your SSL Certificate Using the DigiCert Certificate Utility

    To make an SSL connection, your server needs two parts, a private key file and the certificate file. Apache (and many other server types) separate these two certificate parts into separate .key file and .crt files.

    1. Run the DigiCert® Certificate Utility for Windows.
      Double-click DigiCertUtil.
    2. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL Certificate you want to export, and then, click Export Certificate.
      Select and Export
    3. In the Certificate Export wizard, select Yes, export the private key, select key file (Apache compatible format), and then, click Next.
      Certificate Export
    4. In the File name box, click  to browse for and select the location and file name where you want to save the certificate .key file, and then, click Finish.
      This creates the following files that you will need to upload and implement using your Bluemix Management Console.
      • Private Key: your_domain_com.key
      • Server Certificate: your_domain_com.crt
      • Intermediate Certificate: DigiCertCA.crt
        Finish Export
    5. After you receive the “Your certificate and key have been successfully exported” message, click OK.

    III. IBM Bluemix: Installing Your SSL Certificate

    Once you have the private key and certificate files, you can upload it to your IBM Bluemix account and configure your application to use it

    1. In a browser, open and log into the IBM Bluemix account.
    2. On the Dashboard select the application the SSL certificate is to secure.
      Select Application
    3. On the app Overview page, next to View app, click the down arrow and select Manage domains.
      Manage Domains
    4. On the Manage Organizations page, on the Domains tab, to the right of the application in the SSL Certificate column, click the upload symbol.
      Domains - SSL Certificate
    5. In the Upload Certificate window, do the following:
      • Certificate: Click Browse. Then locate and select your server certificate .crt file (e.g., your_domain_com.crt).
      • Private Key: Click Browse. Then locate and select your private key .key file (e.g., your_domain_com.key).
      • Intermediate Certificate: Click Browse. Then locate and select the intermediate certificate .crt file (e.g., DigiCertCA.crt).
        Upload Certificate
    6. When you are finished, click Upload.
    7. Within the Manage Organizations section, on the Add Domain page, to the right of the application in the SSL Certificate column, you should see a green certificate symbol.
      Note:  After you upload your certificate, it may take some time to propagate the certificate chain to the apps.
      Verify Domain Certificate
    8. Click the green certificate symbol to view the uploaded certificate.
      View Certificate
    9. To verify that your application is using your SSL certificate, do the following:
      a. Navigate to the application Dashboard.
      Dashboard Navb. On the Dashboard select the application that you secured with the SSL certificate.
      App Verifyc. On the app Overview page, next to View app, click the down arrow and select Edit routes.
      Verify Cert on Routed. In the Edit routes window, to the right of the application you just secured, click the green lock to verify that the route has been secured.
      Check Green Lock
    10. As a final check, open your application in a browser and in the address bar. Click on the green lock to the left of the URL and then, view the certificate details.
      Note: After you upload your certificate, it may take some time to propagate the certificate chain to the apps.
      Chrome Cert Check
    11. Congratulations! You have successfully installed your application’s SSL certificate.

     

Join The Discussion