Refer to Apache and SSL Certificates for conceptual references.
The tool for working with SSL Certificates on IHS is called IKEYMAN.
Verify GSKit Version
Most current installs should be fine. However, you should still ensure that the GSKit packaged with IHS can start and is the minimal version for 2048 certificates.
To start GSKit regardless of the environment you must specify a JAVAHOME which points to a version of Java with JCE. IBM should have packaged the right version of java for you. On Windows, use the icon from the start menu.
I actually don't remember why I have these instructions actually.
... not sure if needed START ...
Go the command line and issue the following commands,
E:\ cd opt\IBMIHS\gsk7\bin set JAVA_HOME=E:\opt\IBMIHS\java\jre gsk7ikm.exe
... not sure if needed END ...
Which should launch GSKit (IBM Key Management program). Click Help and then About iKeyman and confirm the version to be higher than 7.0.3.18.
Load Key Database File
IBM uses the concept of a Key Database File to protect the certificate private key. The first step is to create an empty key database file using the Key Management Utility,
- Key Database File
- New
- Key database type = CMS (can explain more about the format... later but CMS if standard)
- File Name = krypton.kdb
- Browser... = C:\opt\IBMIHS\keys\
You will the Password Prompt window appears check Stash password to a file. Enter in a password which will from now on be used to protect the key database file and click OK.
Generate CSR
Confirm your key database file is loaded. IBM Key Management screen should now show,
DB-Type: CMS
File Name: C:\opt\IBMIHS\keys\krypton.kdb
Next generate the CSR as follows,
- Create
- New Certificate Request...
At the Create New Key and Certificate Request window,
Key Label =
Key Size = 2048
Signature Algorithm = SHA1WithRSA
Common Name =
Warning About the IBM Key Management Utility
At this stage you have generated a CRS which in turn generated a Private Key stored in your key database file krypton.kdb.
Before using the Key Management Utility on yours or any database file, you should be aware that it has quite a few quirks. The most dangerous of them being that the Key Management Utility saves to the Key Database File arbitrary depending on your action.
It is strongly recommended to have multiple backups made of the Key Database before making any changes to it.
Import Private Key
...
References