Skill Level: Any Skill Level

Use this recipe to create your certificate signing request (CSR) and then to install your SSL certificate.


These instructions assume that you already own your IBM Watson IoT Platform on Bluemix account, and that you have configured the custom domain for your messaging server. For more information, visit IBM Watson IoT Platform on IBM Bluemix.


  1. IBM Watson IoT Platform: Creating Your CSR with OpenSSL

    Use OpenSSL to build your own shell commands for generating your IBM Watson IoT Platform CSR.

    How to Generate a CSR for IBM Watson IoT Platform Using OpenSSL

    1. Use your terminal client (ssh) to log into your server/workstation.
    2. At the prompt, enter the following command:
      openssl req ‚Äďnew ‚Äďnewkey rsa:2048 ‚Äďnodes ‚Äďkeyout¬†server.key ‚Äďout¬†server.csr
    3. You have now started the process for generating the following two files:
      • Private-Key File:¬†For the decryption of your SSL certificate
      • CSR File:¬†For ordering your SSL certificate
    4. When prompted for the Common Name (domain name), type the fully qualified domain (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com).
    5. When prompted, type your organizational information, beginning with your geographic information.
      Note: You may have already set up default information.
    6. Open the .csr file that you created with a text editor.
    7. Copy the text, including the¬†—–BEGIN NEW CERTIFICATE REQUEST—–¬†and¬†—–END NEW CERTIFICATE REQUEST—–¬†tags, and paste it into the DigiCert order form.
    8. Save (back up) the generated .key file. You need it later when installing your SSL certificate.
    9. After you receive your SSL certificate from DigiCert, you can install it.
  2. IBM Watson IoT Platform: Using OpenSSL & IBM Watson Console to Install Your SSL Certificate

    If you have not yet created a certificate signing request (CSR) and ordered your certificate, see Step 1.

    After receiving your SSL certificate, you need to copy it to your server/workstation, upload it to your IBM Watson IoT Platform account, and then configure your messaging server to use it.

    i. Copy the SSL Certificate File to Your Server/Workstation

    1. Download your Primary Certificate (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.crt) and key files from your DigiCert account, then copy them to the directory on your server/workstation where you will keep your certificate and key files. Make them readable by root only.
    2. Once you have the private key and certificate files, you can upload them to your IBM Watson IoT Platform account and configure your messaging server to use it.

    ii. Upload the SSL Certificate to Your IBM Watson IoT Platform Account

    1. In a browser, open and log into the IBM Watson IoT Platform account.
    2. On the All Boards page, in the sidebar menu on the left, click Settings (gear icon).
    3. On the General Settings page, in the menu in the left pane, under Security, click Messaging Server Certificates.
    4. Add SSL Certificate and Private Key
      a. In the Messaging Server Certificates section, click + Add Certificate.
      b. Upload SSL Certificate
      In the Upload certificate window, next to Certificate File, click Select a file and then locate and select your server certificate .crt file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.crt).
      c. Upload Private Key
      Next to Private Key, click Select a file and then locate and select your private key file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.key).
      d. Once the certificate and private key are uploaded, click Save.
    5. On the Security page, in the Messaging Server Certificates section, in the Currently Active Certificate drop-down list, select your newly uploaded SSL certificate.
    6. In the Confirmation window, click Confirm to designate your new SSL certificate as the active certificate.
    7. Check SSL Certificate
      a. Open a browser and go to https://www.digicert.com/help/.
      b. On the DigiCert¬ģ SSL Installation Diagnostics Tool page, in the Server Address box, type your fully qualified domain name (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com) and then click Check Server.
      c. Once the tool displays your results, verify that the certificate details match your certificate and what you expected to see.
      For example, you can compare certificate attributes such as the serial number, common name, issuer, and expiration date.
    8. Congratulations! You have successfully installed and configured your SSL certificate for your messaging server.

Join The Discussion