Install SSL certificate

The following instructions will guide you to create csr and import the signed crt in the default kdb of IHS.

Step 1: Finding the Kdb

The default Kdb will be present in the IHS installation path. Find the key.kdb and take a back up before executing the commands.

Step 2: Creation of Csr

Use the following command to create the csr.

gskcmd will be present in the bin folder of IHS. gsk7cmd can be used based on the version of IHS.

./gskcmd -certreq -create -db /opt/IHS/SSL/key.kdb -pw WebAS -label lablename -dn “CN=hostname, OU=ou name, O=organization, L=Location, ST=state, C=country code” -size 2048 -file filename.csr

-db is the key.kdb path

-pw is the kdb password, The defualt password is WebAS

-label is any name that you choose the certificated to be labled.

-dn is the domain information

CN = Common name (dns name of the name with which you are trying to use https://hotname protocol)

OU = Organization unit name (ex: IT services)

O = Organization that you are working in, or to whom you are configuring the certificate.

L = Location (ex: Germany)

C = 2 digit country code (ex: GE)

This command will create a filename.csr with the information that you have provided.

Step 3: Certificate request

The csr has to be sent to the certificate signing authorities like verisign, Thwate or Geotrust. They will create a crt file and send the server certificate along with the root and intermediate certificates.

Step 4: Importing the server certificate

Following command will import the server certificate to the kdb file.

Save the certificate file received from the signing authority as server.crt and execute the following command.

gskcmd -cert -receive -file server.crt -db /opt/IHS/SSL/key.kdb -pw WebAS -label servercertificate -format ascii

This command will import the server certificate.

Step 5: Set the server certificate to default

Following command will make the server certificate as default. When you access the https protocol of the website, The default certificate will be choosen.

gskcmd -cert -setdefault -label servercertificate -db /opt/IBM/HTTPServer/SSL/key.kdb

Step 6: Importing the CA/Intermediate certificate

Along with the server certificate, The signing authority will send the intermediate certificate, This certificate has to be imported to prevent the ssl handshake errors.

Save the Intermediate certificate as rootCAcertificate.crt and execute the following command.

gskcmd -cert -add -file rootCAcertificate.crt -db /opt/IHS/SSL/key.kdb -label primaryCA -pw WebAS -format ascii

Step 7: Populate the certificates

gskcmd -cert -populate -db /opt/IHS/SSL/key.kdb -pw WebAS

Now add the kdb path in the httpd.conf in ssl module tags and restart the apache server with -DSSL option.

Basic commands of gskcmd to check the certificates:

List the certificates : ./gskcmd -cert -list -db /opt/IHS/SSL/key.kdb

Check the details of the certificates:

./gskcmd -certreq -details -label labelname -db /opt/IHS/SSL/key.kdb
./gskcmd -cert -details -label labelname -db /opt/IHS/SSL/key.kdb

Delete a certificate : ./gskcmd -cert -delete -label labelname -db /opt/IHS/SSL/key.kdb

Extract a certificate : ./gskcmd -cert -extract -db certificate.jks -label labelname -target test_myne.cer -type jks

Date and Time stamp] [error] [client ip] [ds0] [789] SSL0223E: SSL Handshake Failed, No certificate.

> Then use the following command to display the chain of certificates imported in the kdb. You can see the certificate that you have imported in the kdb. This should display the new certificate imported to the kdb.

./gskcmd -cert -list -db /opt/IHS/SSL/key.kdb

-> Even after this you see the error, Make the certificate as default using the following command.

gskcmd -cert -setdefault -label servercertificate -db /opt/IBM/HTTPServer/SSL/key.kdb

Now a quick restart of the apache server should resolve the issue.

Recent Posts

Pages

Categories

Archives

Recent Comments