{"id":5147,"date":"2015-08-19T10:20:07","date_gmt":"2015-08-19T02:20:07","guid":{"rendered":"http:\/\/rmohan.com\/?p=5147"},"modified":"2015-08-19T10:20:29","modified_gmt":"2015-08-19T02:20:29","slug":"ssl-certificate-authority-in-ibm-http-server","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5147","title":{"rendered":"SSL Certificate Authority in IBM HTTP Server"},"content":{"rendered":"<h3 class=\"post-title entry-title\">Creating and working with a SSL Certificate Authority in IBM HTTP Server<\/h3>\n<div class=\"post-header\"><\/div>\n<div id=\"post-body-5149023765560096411\" class=\"post-body entry-content\">\n<div>With thanks to Mike Whale and his excellent blog post here: &#8211;<\/div>\n<div><\/div>\n<div><a href=\"http:\/\/at-it.blogspot.co.uk\/2013\/04\/create-your-own-ca-using-ikeycmd.html\">\u00a0Create your own CA using ikeycmd\u00a0<\/a><\/div>\n<div><\/div>\n<div>from which I have<span class=\"Apple-converted-space\">\u00a0<\/span>ripped<span class=\"Apple-converted-space\">\u00a0<\/span>stolen<span class=\"Apple-converted-space\">\u00a0<\/span>reused this content.<\/div>\n<div><\/div>\n<div>This article describes how to create a SSL Certificate Authority using IBM HTTP Server 8.0.0.5, and then generate and use certificates signed by this CA. Alternatively, an organisation would go to a public CA such as Verisign, or they&#8217;d have their own internal CA.<\/div>\n<div><\/div>\n<div><b>Create a CA keystore<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -keydb -create -db CA.jks -type jks<\/i><\/div>\n<div><\/div>\n<div><b>Create a CA<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -create -db CA.jks -label myca -dn &#8220;cn=test,o=IBM&#8221; -ca true<\/i><\/div>\n<div><\/div>\n<div><b>Create a client keystore<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -keydb -create -db client.jks -type jks<\/i><\/div>\n<div><\/div>\n<div><b>Create a CSR<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -certreq -create -db client.jks -label clientcert -file \/tmp\/certreq.arm -dn &#8220;cn=clienttest,o=IBM&#8221;<\/i><\/div>\n<div><\/div>\n<div><b>Sign the CSR using the CA<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -sign -db CA.jks -label myca -file \/tmp\/certreq.arm\u00a0<\/i><\/div>\n<div><\/div>\n<div><b>Import the signed certificate into the client keystore<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -receive -db client.jks -file cert.arm\u00a0<\/i><\/div>\n<div><\/div>\n<div><b>Extract the root CA certificate from the CA keystore<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -extract -db CA.jks -label myca -target test.cer -type jks<\/i><\/div>\n<div><\/div>\n<div><b>Import the root CA certificate into the client keystore<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -add -db client.jks -label myca -file test.cer\u00a0<\/i><\/div>\n<div><\/div>\n<div><b>Convert the client keystore into KDB ( PKCS12 ) format in order to allow password to be stashed ( required for IHS to use keystore )<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -keydb -convert -db client.jks -pw passw0rd -target client.kdb -new_pw passw0rd -old_format jks -new_format kdb -stash<\/i><\/div>\n<div><\/div>\n<div>Note: The only reason that I chose to create the keystore in JKS format was to follow Mike&#8217;s instructions &#8211; I could&#8217;ve simplified things by creating the keystore in KDB format from the outset.<\/div>\n<div><\/div>\n<div><b>Start IHS<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/apachectl -k restart -f \/opt\/IBM\/HTTPServer\/confext\/httpd.conf<\/i><\/div>\n<div><\/div>\n<div><b>NOTE: &#8211;<\/b><\/div>\n<div><\/div>\n<div>If you see: &#8211;<\/div>\n<div><\/div>\n<div>Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.<\/div>\n<div><\/div>\n<div>in Chrome or: &#8211;<\/div>\n<div><\/div>\n<div>\n<p><span style=\"font-family: Courier New;\">Cannot communicate securely with peer: no common encryption algorithm(s).<\/span><\/p>\n<p>(Error code: ssl_error_no_cypher_overlap)<\/p>\n<\/div>\n<div><\/div>\n<div>in Firefox,\u00a0and see: &#8211;<\/div>\n<div><\/div>\n<div>[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd6c0028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60917 -&gt; 192.168.8.162:8443] [12:52:31.320280]<\/div>\n<div>[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd700028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60919 -&gt; 192.168.8.162:8443] [12:52:31.434908]<\/div>\n<div>[Tue Apr 16 12:52:53 2013] [error] [client 192.168.8.1] [1d8fd90] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60940 -&gt; 192.168.8.162:8443] [12:52:53.449571]<\/div>\n<div>[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60944 -&gt; 192.168.8.162:8443] [12:52:59.432844]<\/div>\n<div>[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60943 -&gt; 192.168.8.162:8443] [12:52:59.433801]<\/div>\n<div>[Tue Apr 16 12:54:31 2013] [error] [client 192.168.8.1] [7fcd740128b0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60961 -&gt; 192.168.8.162:8443] [12:54:31.636000]<\/div>\n<div><\/div>\n<div>etc.<\/div>\n<div><\/div>\n<div>in IHS error.log, then you don&#8217;t have a default certificate set: &#8211;<\/div>\n<div><\/div>\n<div>\n<div><b>Listing certificates to confirm\u00a0<\/b><b>what<\/b><b>\u00a0is default \/ trusted<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/gskcapicmd -cert -list -db client.kdb\u00a0<\/i><\/div>\n<div><i>\u00a0<\/i><\/div>\n<\/div>\n<div><span style=\"font-family: Courier New;\">Certificates found<br \/>\n* default, &#8211; personal, ! trusted<br \/>\n! myca<br \/>\n&#8211; clientcert<\/span><\/div>\n<div><\/div>\n<div><b>Set the clientcert certificate as default<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/gskcapicmd -cert -setdefault -label clientcert -db client.kdb\u00a0<\/i><\/div>\n<div><\/div>\n<div><b>Listing certificates to confirm<span class=\"Apple-converted-space\">\u00a0<\/span><\/b><b>what<\/b><b><span class=\"Apple-converted-space\">\u00a0<\/span>is default \/ trusted<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/gskcapicmd -cert -list -db client.kdb\u00a0<\/i><\/div>\n<div><\/div>\n<div>Certificates found<\/div>\n<div>* default, &#8211; personal, ! trusted<\/div>\n<div>! myca<\/div>\n<div>*- clientcert<\/div>\n<div><\/div>\n<div><b>Inspecting certificates<\/b><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/gskcapicmd -cert -details -db client.kdb -label clientcert<\/i><\/div>\n<div><\/div>\n<div>Label : myca<\/div>\n<div><b>Key Size : 1024<\/b><\/div>\n<div><b>Version : X509 V3<\/b><\/div>\n<div>Serial : 516d3a0f<\/div>\n<div><b>Issuer : CN=test,OU=test,O=IBM<\/b><\/div>\n<div><b>Subject : CN=test,OU=test,O=IBM<\/b><\/div>\n<div><b>Not Before : 16 April 2013 12:46:23 GMT+01:00<\/b><\/div>\n<div><b>Not After : 16 April 2014 12:46:23 GMT+01:00<\/b><\/div>\n<div>Public Key<\/div>\n<div>\u00a0 \u00a0 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01<\/div>\n<div>\u00a0 \u00a0 05 00 03 81 8D 00 30 81 89 02 81 81 00 96 23 34<\/div>\n<div>\u00a0 \u00a0 A0 D0 FF 7A C3 EE 5C 06 FB EF AF D2 1A DB 5F F8<\/div>\n<div>\u00a0 \u00a0 4A E3 6A 8F 00 BC 95 67 4E 97 D4 B1 51 3B 68 F5<\/div>\n<div>\u00a0 \u00a0 85 72 4B A8 19 72 E0 82 86 6F 08 5D F5 F0 1B 34<\/div>\n<div>\u00a0 \u00a0 D2 7F F0 64 09 F8 87 B8 49 EB CF 18 D9 35 CD DE<\/div>\n<div>\u00a0 \u00a0 F4 1F FE 9F 7C 32 D7 2B 9F B0 4F 42 72 FF 02 14<\/div>\n<div>\u00a0 \u00a0 44 97 10 96 EC E0 34 B1 41 29 DF B8 E9 26 96 4F<\/div>\n<div>\u00a0 \u00a0 0A D3 FF CB 79 61 F1 E3 E0 81 45 3A 9F 88 E6 5A<\/div>\n<div>\u00a0 \u00a0 27 F8 99 A6 9C D6 3D 74 7C A8 3F 82 BB 02 03 01<\/div>\n<div>\u00a0 \u00a0 00 01<\/div>\n<div>Public Key Type : RSA (1.2.840.113549.1.1.1)<\/div>\n<div>Fingerprint : SHA1 :<\/div>\n<div>\u00a0 \u00a0 F6 9A C2 43 57 D8 90 07 B1 C2 5F CC 02 9F CB D6<\/div>\n<div>\u00a0 \u00a0 15 C0 5E 6C<\/div>\n<div>Fingerprint : MD5 :<\/div>\n<div>\u00a0 \u00a0 A6 81 9C 1E 61 7C 52 17 3D B1 D0 90 C5 84 1D 78<\/div>\n<div>Fingerprint : SHA256 :<\/div>\n<div>\u00a0 \u00a0 21 F0 B8 4B A9 9A C9 B4 40 E3 C3 39 1E C5 95 F0<\/div>\n<div>\u00a0 \u00a0 5B D0 79 70 65 67 D1 50 C5 1C E6 9E 96 1E 5B F5<\/div>\n<div>Extensions<\/div>\n<div>\u00a0 \u00a0 basicConstraints<\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 ca = true<\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 pathLen = 2147483647<\/div>\n<div>\u00a0 \u00a0 \u00a0 \u00a0 critical<\/div>\n<div>Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)<\/div>\n<div>Value<\/div>\n<div>\u00a0 \u00a0 73 1B 8A 4A FD 05 40 BE 2D 7C 3B 67 66 5D D1 7A<\/div>\n<div>\u00a0 \u00a0 4F F4 4D 60 95 ED 88 81 6D 98 92 5F E4 A5 FF F0<\/div>\n<div>\u00a0 \u00a0 87 D0 B5 89 F9 A6 44 78 D1 44 94 B5 7F 57 D5 C4<\/div>\n<div>\u00a0 \u00a0 3B E1 6E 9B AC FE CD C9 0A 2C A8 C8 4C 13 83 B3<\/div>\n<div>\u00a0 \u00a0 7C 06 B9 3E 66 94 2F ED FB 9A 9B F7 8E 6F CB FD<\/div>\n<div>\u00a0 \u00a0 E9 24 2D FE 7C 6C EA CA E9 76 58 37 51 B6 7E D9<\/div>\n<div>\u00a0 \u00a0 6D 59 70 2E E0 01 37 D6 E9 3B A1 C3 D3 4D 16 C9<\/div>\n<div>\u00a0 \u00a0 B4 68 99 45 85 DE 03 9A 9C D7 F4 0C 1E FC 4D C8<\/div>\n<div>Trust Status : Enabled<\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/gskcapicmd -cert -details -db client.kdb -label myca<\/i><\/div>\n<div><\/div>\n<div>Label : clientcert<\/div>\n<div><b>Key Size : 1024<\/b><\/div>\n<div><b>Version : X509 V3<\/b><\/div>\n<div>Serial : 516d3a27<\/div>\n<div><b>Issuer : CN=test,OU=test,O=IBM<\/b><\/div>\n<div><b>Subject : CN=clienttest,OU=test,O=IBM<\/b><\/div>\n<div><b>Not Before : 16 April 2013 12:46:47 GMT+01:00<\/b><\/div>\n<div><b>Not After : 16 April 2014 12:46:47 GMT+01:00<\/b><\/div>\n<div>Public Key<\/div>\n<div>\u00a0 \u00a0 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01<\/div>\n<div>\u00a0 \u00a0 05 00 03 81 8D 00 30 81 89 02 81 81 00 83 C5 3E<\/div>\n<div>\u00a0 \u00a0 52 CF 2E 78 76 50 88 A7 5E D6 1E 7D 2A 96 F2 11<\/div>\n<div>\u00a0 \u00a0 0E 4D 1F 1E D2 A0 E9 30 56 8E 69 79 BF C3 D0 8F<\/div>\n<div>\u00a0 \u00a0 94 8E 0B 66 62 0A 64 46 E4 60 87 D7 E8 BF 8F 54<\/div>\n<div>\u00a0 \u00a0 F2 EB 36 D0 71 18 FC 2B 72 97 B2 49 F0 12 12 4A<\/div>\n<div>\u00a0 \u00a0 4A B3 F2 1F 99 50 38 BB 40 8F 41 D2 F8 FB 8E 9B<\/div>\n<div>\u00a0 \u00a0 FC 0F BC 80 21 57 87 EA 05 F3 D4 DF BB D1 59 D7<\/div>\n<div>\u00a0 \u00a0 4D 91 68 FF B7 BC 52 BC 12 D2 F1 C6 52 63 1D B1<\/div>\n<div>\u00a0 \u00a0 49 CC 58 88 A5 E5 86 31 9B CE F3 E6 C3 02 03 01<\/div>\n<div>\u00a0 \u00a0 00 01<\/div>\n<div>Public Key Type : RSA (1.2.840.113549.1.1.1)<\/div>\n<div>Fingerprint : SHA1 :<\/div>\n<div>\u00a0 \u00a0 1B 33 B7 0A 1D 33 29 F2 6E 56 81 55 92 CB 48 DC<\/div>\n<div>\u00a0 \u00a0 D3 2F 16 90<\/div>\n<div>Fingerprint : MD5 :<\/div>\n<div>\u00a0 \u00a0 C4 64 E5 08 AA F0 AE 65 5A 7A 12 12 21 55 7C 19<\/div>\n<div>Fingerprint : SHA256 :<\/div>\n<div>\u00a0 \u00a0 54 A4 41 37 25 65 8F 28 FE 4B 97 37 DE 3A 4D 97<\/div>\n<div>\u00a0 \u00a0 80 F4 FF C0 8D BA 92 D2 51 F8 4D 4B 69 BD BA 69<\/div>\n<div>Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)<\/div>\n<div>Value<\/div>\n<div>\u00a0 \u00a0 25 14 7A 6F D9 F2 CC E3 93 5C 8E 1C 4F 3C DC 57<\/div>\n<div>\u00a0 \u00a0 C8 D3 B4 D5 51 0D C9 C7 DE 00 C8 B0 2D D8 C2 F6<\/div>\n<div>\u00a0 \u00a0 50 34 97 1E 24 C8 22 D6 01 F4 DA B9 0E 1C 67 E3<\/div>\n<div>\u00a0 \u00a0 EF 73 77 F6 21 32 0D 92 B3 9B 0B C1 3A 28 71 70<\/div>\n<div>\u00a0 \u00a0 7D 3A 7E 7F 8F C3 BE 23 B0 74 F5 E7 20 5E 3D 01<\/div>\n<div>\u00a0 \u00a0 6B 57 AC 0A 5E F6 3B 93 B6 A3 E1 6A 2E E9 29 00<\/div>\n<div>\u00a0 \u00a0 4E 81 E3 D3 20 E7 86 96 C0 91 02 5D E9 86 7D 38<\/div>\n<div>\u00a0 \u00a0 08 02 B1 76 3B D4 A4 C4 41 2E 91 C0 49 84 3B 81<\/div>\n<div>Trust Status : Enabled<\/div>\n<div><\/div>\n<div><b>Additional Notes<\/b><\/div>\n<div><b>\u00a0<\/b><\/div>\n<div>For the record, here&#8217;s a similar set of instructions, but using KDB ( PKCS12 )\u00a0instead\u00a0of JKS from the outset, avoiding\u00a0the\u00a0need for conversion: &#8211;<\/div>\n<div><\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -keydb -create -db CA.kdb -stash<\/i><\/p>\n<\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -create -db CA.kdb \u00a0-label myca -dn &#8220;cn=test,o=IBM&#8221; -ca true<\/i><\/p>\n<\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -keydb -create -db client.kdb -stash<\/i><\/p>\n<\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -certreq -create -db client.kdb \u00a0-label clientcert -file \/tmp\/certreq.arm -dn &#8220;cn=clienttest,o=IBM&#8221;<\/i><\/p>\n<\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -sign -db CA.kdb \u00a0-label myca -file \/tmp\/certreq.arm\u00a0<\/i><\/p>\n<\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -receive -db client.kdb \u00a0-file\u00a0cert. arm\u00a0<\/i><\/div>\n<div><\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -extract -db CA.kdb \u00a0-label myca -target test.cer<\/i><\/div>\n<div><\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/java\/jre\/bin\/ikeycmd -cert -add -db client.kdb -label myca -file test.cer\u00a0<\/i><\/p>\n<\/div>\n<div>\n<p><i>\/opt\/IBM\/HTTPServer\/bin\/apachectl -k restart -f \/opt\/IBM\/HTTPServer\/confext\/httpd.conf<\/i><\/p>\n<\/div>\n<div><i>\/opt\/IBM\/HTTPServer\/bin\/gskcapicmd -cert -setdefault -label clientcert -db client.kdb\u00a0<\/i><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Creating and working with a SSL Certificate Authority in IBM HTTP Server With thanks to Mike Whale and his excellent blog post here: &#8211; Create your own CA using ikeycmd from which I have ripped stolen reused this content. This article describes how to create a SSL Certificate Authority using IBM HTTP Server 8.0.0.5, and [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5147"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5147"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5147\/revisions"}],"predecessor-version":[{"id":5152,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5147\/revisions\/5152"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}