The following instructions will guide you to create csr and import the signed crt in the default kdb of IHS.
Save the certificate file received from the signing authority as server.crt and execute the following command.
gskcmd -cert -receive -file server.crt -db /opt/IHS/SSL/key.kdb -pw WebAS -label servercertificate -format ascii
This command will import the server certificate.
gskcmd -cert -setdefault -label servercertificate -db /opt/IBM/HTTPServer/SSL/key.kdb
Save the Intermediate certificate as rootCAcertificate.crt and execute the following command.
gskcmd -cert -add -file rootCAcertificate.crt -db /opt/IHS/SSL/key.kdb -label primaryCA -pw WebAS -format ascii
Now add the kdb path in the httpd.conf in ssl module tags and restart the apache server with -DSSL option.
Basic commands of gskcmd to check the certificates:
List the certificates : ./gskcmd -cert -list -db /opt/IHS/SSL/key.kdb
Check the details of the certificates:
./gskcmd -certreq -details -label labelname -db /opt/IHS/SSL/key.kdb
./gskcmd -cert -details -label labelname -db /opt/IHS/SSL/key.kdb
Delete a certificate : ./gskcmd -cert -delete -label labelname -db /opt/IHS/SSL/key.kdb
Extract a certificate : ./gskcmd -cert -extract -db certificate.jks -label labelname -target test_myne.cer -type jks
Step 1: Finding the Kdb
The default Kdb will be present in the IHS installation path. Find the key.kdb and take a back up before executing the commands.
Step 2: Creation of Csr
Use the following command to create the csr.
gskcmd will be present in the bin folder of IHS. gsk7cmd can be used based on the version of IHS.
./gskcmd -certreq -create -db /opt/IHS/SSL/key.kdb -pw WebAS -label lablename -dn "CN=hostname, OU=ou name, O=organization, L=Location, ST=state, C=country code" -size 2048 -file filename.csr
-db is the key.kdb path
-pw is the kdb password, The defualt password is WebAS
-label is any name that you choose the certificated to be labled.
-dn is the domain information
CN = Common name (dns name of the name with which you are trying to use https://hotname protocol)
OU = Organization unit name (ex: IT services)
O = Organization that you are working in, or to whom you are configuring the certificate.
L = Location (ex: Germany)
C = 2 digit country code (ex: GE)
This command will create a filename.csr with the information that you have provided.
Step 3: Certificate request
The csr has to be sent to the certificate signing authorities like verisign, Thwate or Geotrust. They will create a crt file and send the server certificate along with the root and intermediate certificates.
Step 4: Importing the server certificate
Following command will import the server certificate to the kdb file.Save the certificate file received from the signing authority as server.crt and execute the following command.
gskcmd -cert -receive -file server.crt -db /opt/IHS/SSL/key.kdb -pw WebAS -label servercertificate -format ascii
This command will import the server certificate.
Step 5: Set the server certificate to default
Following command will make the server certificate as default. When you access the https protocol of the website, The default certificate will be choosen.gskcmd -cert -setdefault -label servercertificate -db /opt/IBM/HTTPServer/SSL/key.kdb
Step 6: Importing the CA/Intermediate certificate
Along with the server certificate, The signing authority will send the intermediate certificate, This certificate has to be imported to prevent the ssl handshake errors.Save the Intermediate certificate as rootCAcertificate.crt and execute the following command.
gskcmd -cert -add -file rootCAcertificate.crt -db /opt/IHS/SSL/key.kdb -label primaryCA -pw WebAS -format ascii
Step 7: Populate the certificates
gskcmd -cert -populate -db /opt/IHS/SSL/key.kdb -pw WebAS
Basic commands of gskcmd to check the certificates:
List the certificates : ./gskcmd -cert -list -db /opt/IHS/SSL/key.kdb
Check the details of the certificates:
./gskcmd -certreq -details -label labelname -db /opt/IHS/SSL/key.kdb
./gskcmd -cert -details -label labelname -db /opt/IHS/SSL/key.kdb
Delete a certificate : ./gskcmd -cert -delete -label labelname -db /opt/IHS/SSL/key.kdb
Extract a certificate : ./gskcmd -cert -extract -db certificate.jks -label labelname -target test_myne.cer -type jks
0 comments:
Post a Comment