www.bonsaiframework.com
Page tree

Versions Compared

Old Version 21

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Once installed, IHS includes a tool for working with SSL Certificates called IBM's Key Management Utility which IBM also refers to as GSKIT and generally referred to as iKeyMan. We will use iKeyman consistently in this documentation.

Table of Contents

Warning

Something that I have not tried yet but should work in theory. To make things easier, use the open ssl command line tools to generate the CSR. When the CA gives back the signed request, generate a P12. Make sure to also include the private key somehow. Then you should be able to import into IHS and delete the old certificate.

 

Verify Version

Most current installs should be fine. However, you should still ensure that the iKeyman iKeyMan packaged with IHS can start and is the minimal version for 2048 certificates. 2048 is now becoming the minimal standard for Web certificates.

...

IBM uses the concept of a Key Database File to protect the certificate private key. The first step is to create an empty key database file using the Key Management Utility also known as iKeymaniKeyMan.

  1. Key Database File
  2. New
  3. Key database type = CMS (can explain more about the format... later but CMS if standard)
  4. File Name = krypton.kdb
  5. Browser... = C:\opt\IBMIHS\keys\

...

Note the location and file name of the certificate request. Change the default name, or you may end up overwriting previous other certificate requests. In this example it would be C:\opt\IBMIHS\keys\www.krypton.com.2012-03-13.certificate_request.arm.

Click OK.

Upon success you will see the following message,

Panel

A new certificate reqweuest has been successfully created in the file: C:\opt\IBMIHS\keys\www.krypton.com.2012-03-13.certificate_request.arm. You must send Send the file to a certification authority to request a certificate.

You There will now see your be a certificate request as an item in the Key database content section.You can now exit iKeyman

Note

Do not use click the save button. It actually makes things confusing as it really is a save as... button.

Exit iKeyman which will also auto-save your changes.

Verify CSR

...

Backup Private Key

Backup all key related files. In this example, C:\opt\IBMIHS\keys\krypton.* should be copied.

Submit CSR

Send the arm file to your Certificate Authority.

Warning About the IBM Key Management Utility

At this stage you have generated a CRS which in turn generated a Private Key stored in your key database file krypton.kdb.

...

Import Private Key

The Certificate Authority will provide a signed certificate file, root certificate and possibly supporting chain certificates which will be imported into your kdb file.

Backup Your Files (Again!)

iKeyMan saves to the Key Database File arbitrary depending on your action and saves things across multiple files. Backup your files before proceeding.

Warning
It is strongly recommended to Remember backup the complete set together. In this example that would be all files krypton.* and not just krypton.kdb.

I have personally have had to recreate certificates from scratch due to improper backups.

Import Private Key

...

If your files become corrupt, the entire process will need to be restarted.

Rename CA Provided Certificates

In addition to the signed certificate, the CA should include the Root Certificate and any required supporting Chain Certificates. It is important to use a consistent naming convention.

...

The signed certificate will often be in a plain txt file. Rename the file to C:\opt\IBMIHS\keys\www.krypton.com.2012-03-14.signed_certificate.arm

The date included in the file name should reference when the certificates were received.

Import Root Certificate

...

Import Signed Certificate

If necessary, start iKeyMan and open the key database.

  • From the Windows desktop, select Start - Programs - IBM HTTP Server - Start Key Management Utility.
  • Select Key Database File - Open and open the "Httpserverkey.kdb" database in the C:\Program Files\IBM\WebSphere\AppServer\etc directory.

In the "Key database content" drop-down list, select "Personal Certificates."

On the right-hand side of the "Key database content" box, click the "Receive..." button.

In the "Receive Certificate from a file" window, complete the following fields:

  • Data type: Accept the default of "Base64-encoded ASCII data."
  • Certificate file name: Browse to and select the "HTTPServerCert.cer" file (or other server certificate file that you have obtained from the CA).
  • Location: Ensure the location field specifies the directory path to which the "HTTPServerCert.cer" file was saved after you received the file from the CA (for example C:\Program Files\IBM\WebSphere\AppServer\etc).

Click OK.

You should now see the server certificate name displayed in the Personal Certificates list in IKeyMan.

Note

 The server certificate name was selected when creating the CSR.

 

References

Has good steps and pictures - http://www-01.ibm.com/support/docview.wss?uid=swg21006430

Steps to Importing Signed Certificate with iKeyMan - http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.801.doc/EMS/st_adm_ems_ssl_cert_for_http_t.html