TM1 Forum

Hello Everyone,

I have a quick question on which files to import into the IKeyMan tool after the CSR request been made under the Personal Certificate.

Because customer is having below files. Certificate is about to expire and have to change it to work for TM1Web.

.key, pkcs#7 certificates, .pem file, .pfx file and Security Certificates like cachain,digicert_root, fullchain, intermediate

I am struck at this point, as this is the first time I am doing this certificate update.

Anybody have already come across, kindly give me an idea to proceed further.

Hi,

What version are you on?

I've configured this about 2 years ago using this link: https://www.ibm.com/support/pages/use-i ... tes-tm1web

If I understand you right, you have done the 3rd step now and should proceed to 4th:
4 - The certificate request file must be provided to the signing certificate authority (CA). The CA will provide one or more files containing the signed encryption certificate and all required CA certificates in the chain.

If you want a self-signed certificate, you should select "«Submit a certificate request using a base-64-encoded CMC or PKCS #10 file or submit a renewal…»", and then download both certificate and certificate chain.

Yes, exactly. Good catch @Elessar

TM1 Version - 2.0.7

I have also referred the same link. Of course in step 4, dont have any idea of how to proceed. Do I really need to submit to CA? Because client has 3rd party Certificates and files as below:

.pfx file - Personal Information Exchange
xxx_cachain - Security Certificate
xxx_fullchain - Personal Information Exchange
xxx_digicert_root_g2_base64 - Security Certificate
xxx_intermediate_base64 - Security Certificate
xxx.pem file
xxx.key file

So my understanding is skipping the step 4 and import the keys. Should I import first file .pfx which in turn load all the cert + keys?? But dont know which file to import. Correct me if I am wrong. Thanks

The certificate should be issued to the name of the server running TM1Web, so that it will contain "issued to: www.yourTM1.xxx" (like here, for "www.tm1forum.com" name). So yes, you need to provide the cert. request to CA

Thanks for your reply Elessar.

In my case 3rd Party Company has already Issued the Certificate for 'TM1Web'.

I can skip the CSR request to CA. Because, currently I have the issued certificate which are .pfx file and related Certs + Key + root files. I have to replace the old Certificate with new Certificate in CAMKEYSTORE.

I have referenced the below link. Using iKeyMann tool, added the .pfx under Personal Certificate and labeled as 'encryption'. Added supporting root certs and keys under the signer certificate.

https://www.ibm.com/support/knowledgece ... 12860_.htm

Now, tm1web utilizing the new SSL certificate and working fine.

Thank you kavitha2002
This is really rare when the topic starter returns with solution description.