Skip to Main Content
IBM Power Ideas Portal

This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Created by Guest
Created on Apr 19, 2017

HMC WIldcard Certificate Support

We are getting crap from providers now that having an HMC with a self signed certificate is no longer acceptable. Such a device may be banned from their equipment racks and it now violates various requirements. It's not just the HMC of course it's IBM i, switches, firewalls, routers, SANs, tape libraries, and the beat goes on.

Obtaining a separate key for every device in the DC is both expensive and a management nightmare. Imagine the system fails, IBM shows up to rapair but the certificate expired today! Oops, missed that one! DISASTER!

So a wildcard it is. Working in many places but from IBM: "the hmc does not support adding a wildcard certificate."

Please fix this.

Idea priority High
  • Guest
    Dec 16, 2020

    Hi Larry,

    Please find below some more details on applying wildcard certificate for HMC. Hope this helps. Marking the RFE as delivered as the function is already available in HMC.

    A) Generate certificate signing request (CSR) ensure you mention the wild card in the CN parameter. All the HMC where you want to apply the wildcard certificate should be in the same domain network. You can generate the CSR from one of your HMC machine UI, where in you mention the Common Name (CN) as "*domain name" while submitting the certificate signing request (CSR) form. Fill in the other parameters as usual.
    B) Now pass the certificate signing request (CSR) to CA who is capable of generating the wild card certificate in x509 format.
    Check if the CA can provide the JKS file (Java supported) with the password for the file. Else you can convert the certificate to jks using keytool command
    keytool -importcert -alias alias_name -file path_to_certificate_file -keystore truststore_file -storepass {password}
    e.g:- keytool -importcert -file /path/to/your/certificate.crt -alias hmcserver -keystore /path/to/your/truststore.jks -storepass repoPassword
    C) Importing the certificate or JKS , once the certificate is approved/received.
    from the machine where the CSR was generated, you can import X509 format supported certificate file as mentioned here.
    Now assuming you have got the JKS file from the CA or you have converted the certificate file to JKS & have the password handy, you can import this file to all other HMC in the same network which have same domain to apply wild card certificate.
    a) browse to Users and Security > Systems and Console Security.
    Click Manage Certificates
    b) On the pop window Select Advance > Import Repository.
    c) Import the jks file & enter the password for that repository file.
    d) System will ask for reboot to successfully apply the wildcard server certificate.

  • Guest
    Feb 6, 2018

    OK I'm not a rocket scientist so maybe I'm missing something but the comment "you can create your own repository" is approximately equal to my wife telling me "you can simply sew your own suit coat, both my sewing machines and my serger are in my sewing room." Yep I know what is a repository approximately. But no matter how much I tried to do that with the google and the hooya and the youtube where everyone uses phrases like "use program x to import your certificate" as if I do that as frequently as I refill my coffee cup! Remember that a lot of these HMCs support IBM i which has "Digital Certificate Manager" not a command line set up.

    So while I'm not against the import option it has no value if there is not a set of instructions on how to create this repository. Even better would be "How to use IBMs Digital Certificate Manager to create an HMC certificate repository" as I suspect the AIX folks know what is "program x."

    Thank you.

  • Guest
    Feb 6, 2018

    HMC has an option "Import Repository" (located at Manage Certificates > Advanced > Import Repository). You can create a wildcard certificate and then make a JKS or a PKCS12 (we only support these two in HMC) from that wildcard cert using your own private key. You will be able to upload that jks or pkcs12 repository to any HMC using "import repository" without requiring to create a CSR.

    Please let us know if this addresses your requirement.