{"id":5680,"date":"2016-04-14T18:18:29","date_gmt":"2016-04-14T10:18:29","guid":{"rendered":"http:\/\/rmohan.com\/?p=5680"},"modified":"2016-04-14T18:24:10","modified_gmt":"2016-04-14T10:24:10","slug":"install-ssl-certificate","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5680","title":{"rendered":"Install SSL certificate"},"content":{"rendered":"<p>The following instructions will guide you to create csr and import the signed crt in the default kdb of IHS.<\/p>\n<h3>Step 1: Finding the Kdb<\/h3>\n<div>The default Kdb will be present in the IHS installation path. Find the key.kdb and take a back up before executing the commands.<\/div>\n<h3>Step 2: Creation of Csr<\/h3>\n<div>Use the following command to create the csr.<\/div>\n<div><\/div>\n<div>gskcmd will be present in the bin folder of IHS. gsk7cmd can be used based on the version of IHS.<\/div>\n<div><\/div>\n<div><b>.\/gskcmd -certreq -create -db \/opt\/IHS\/SSL\/key.kdb -pw WebAS -label lablename -dn &#8220;CN=hostname, OU=ou name, O=organization, L=Location, ST=state, C=country code&#8221; -size 2048 -file filename.csr<\/b><\/div>\n<div><\/div>\n<div>-db is the key.kdb path<\/div>\n<div>-pw is the kdb password, The defualt password is WebAS<\/div>\n<div>-label is any name that you choose the certificated to be labled.<\/div>\n<div>-dn is the domain information<\/div>\n<div><\/div>\n<div><b>CN = Common name (dns name of the name with which you are trying to use https:\/\/hotname protocol)<\/b><\/div>\n<div><b>OU = Organization unit name (ex: IT services)<\/b><\/div>\n<div><b>O = Organization that you are working in, or to whom you are configuring the certificate.<\/b><\/div>\n<div><b>L = Location (ex: Germany)<\/b><\/div>\n<div><b>C = 2 digit country code (ex: GE)<\/b><\/div>\n<div><\/div>\n<div>This command will create a filename.csr with the information that you have provided.<\/div>\n<div><\/div>\n<h3>Step 3: Certificate request<\/h3>\n<div>The csr has to be sent to the certificate signing authorities like verisign, Thwate or Geotrust. They will create a crt file and send the server certificate along with the root and intermediate certificates.<\/div>\n<h3>Step 4: Importing the server certificate<\/h3>\n<p>Following command will import the server certificate to the kdb file.<\/p>\n<p>Save the certificate file received from the signing authority as server.crt and execute the following command.<\/p>\n<p><b>gskcmd -cert -receive -file server.crt -db \/opt\/IHS\/SSL\/key.kdb -pw WebAS -label servercertificate -format ascii<\/b><\/p>\n<p>This command will import the server certificate.<\/p>\n<h3>Step 5: Set the server certificate to default<\/h3>\n<p>Following command will make the server certificate as default. When you access the https protocol of the website, The default certificate will be choosen.<\/p>\n<p><b>gskcmd -cert -setdefault -label servercertificate -db \/opt\/IBM\/HTTPServer\/SSL\/key.kdb<\/b><\/p>\n<h3>Step\u00a0 6: Importing the CA\/Intermediate certificate<\/h3>\n<p>Along with the server certificate, The signing authority will send the intermediate certificate, This certificate has to be imported to prevent the ssl handshake errors.<\/p>\n<p>Save the Intermediate certificate as rootCAcertificate.crt and execute the following command.<\/p>\n<p><b>gskcmd -cert -add -file <\/b><b><b>rootCAcertificate.crt<\/b> -db \/opt\/IHS\/SSL\/key.kdb -label primaryCA -pw WebAS -format ascii <\/b><\/p>\n<h3><b>Step 7: Populate the certificates<\/b><\/h3>\n<div><b>gskcmd -cert -populate -db \/opt\/IHS\/SSL\/key.kdb -pw WebAS<\/b><\/div>\n<div><b>\u00a0<\/b><\/div>\n<p>Now<b> <\/b>add the kdb path in the httpd.conf in ssl module tags and restart the apache server with -DSSL option.<\/p>\n<p><b>Basic commands of gskcmd to check the certificates:<\/b><\/p>\n<p><b>List the certificates : .\/gskcmd -cert -list -db \/opt\/IHS\/SSL\/key.kdb\u00a0<\/b><\/p>\n<p><b>Check the details of the certificates:\u00a0\u00a0<\/b><\/p>\n<p><b>.\/gskcmd -certreq -details -label labelname -db \/opt\/IHS\/SSL\/key.kdb<\/b><br \/>\n<b>.\/gskcmd -cert -details -label labelname -db \/opt\/IHS\/SSL\/key.kdb <\/b><\/p>\n<p><b>Delete a certificate : .\/gskcmd -cert -delete -label labelname -db \/opt\/IHS\/SSL\/key.kdb<\/b><\/p>\n<p><b>Extract a certificate : .\/gskcmd -cert -extract -db certificate.jks -label labelname -target test_myne.cer -type jks<\/b><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Date and Time stamp] [error] [client ip] [ds0] [789] SSL0223E: SSL Handshake Failed, No certificate.<\/p>\n<p>&nbsp;<\/p>\n<div>&gt; Then use the following command to display the chain of certificates imported in the kdb. You can see the certificate that you have imported in the kdb. This should display the new certificate imported to the kdb.<\/p>\n<p><strong>.\/gskcmd -cert -list -db \/opt\/IHS\/SSL\/key.kdb <\/strong><\/p>\n<p>-&gt; Even after this you see the error, Make the certificate as default using the following command.<\/p><\/div>\n<div><b><\/b><\/div>\n<div><b>gskcmd -cert -setdefault -label servercertificate -db \/opt\/IBM\/HTTPServer\/SSL\/key.kdb<\/b><\/div>\n<p>Now a quick restart of the apache server should resolve the issue.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The following instructions will guide you to create csr and import the signed crt in the default kdb of IHS.<\/p>\n<p> Step 1: Finding the Kdb The default Kdb will be present in the IHS installation path. Find the key.kdb and take a back up before executing the commands. Step 2: Creation of Csr Use the [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5680"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5680"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5680\/revisions"}],"predecessor-version":[{"id":5682,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5680\/revisions\/5682"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}