Wednesday, March 16, 2011

Installing Verisign SSL certificate on IBM HTTP server

Installing Verisign SSL certificate on IBM HTTP server
Posted on by Dave
Installing a Verisign SSL site certificate on IBM HTTP server
If you have an Apache certificate e.g. it was requested with an openssl signing request rather than using ikeyman then you first need to convert it to PKCS12 format which can then be imported into the IBMHTTPServer6 keystore.
openssl pkcs12 -export -out new_key_pair_filename.p12 -inkey private_key_filename.key -in certificate_filename.crt
You will get prompted for a password – you must use the same password as you have on the keystore you want to import it into.
Move the file to /usr/IBMHTTPServer6/bin
If you used strong encryption to generate the signing key request ( and you would have done ) then you may have to install the unrestricted JCE policy files.
To check :-
/usr/IBMHTTPServer6/java/jre/bin/keytool -list -v -keystore /usr/IBMHTTPServer6/bin/wbis104m.p12 -storetype pkcs12 -storepass passwd
If it barfs with java errors like :-
keytool error (likely untranslated): Private key decryption error: ( Illegal key size)
keytool error (likely untranslated): Private key decryption error: (java.lang.SecurityException: Unsupported keysize or algorithm parameter
You need to install the unrestricted JCE policy files.
Download the zip file from ( you need an IBM ID – this is a free registration )
unzip and after making copies of the orginals copy over the new local_policy.jar US_export_policy.jar files to /usr/IBMHTTPServer6/java/jre/lib/security
Rerun the keytool command above ( ensuring you use the full path to the keytool command ) to confirm it lists the certificate details without Java errors.
Now add it into the keystore
You need to be able to use X as the ikeyman program is GUI only.
su to root , export XAUTHORITY and DISPLAY to those of the user you su’d from.
export XAUTHORITY=/home/fred/.Xauthority
export DISPLAY=localhost:10.0
cd /usr/IBMHTTPServer6/bin
Key Database File – Open
Key Database type CMS
Location /usr/IBMHTTPServer6/keys/
File Name key.kdb
You will be prompted for the password
Now import the certificate you converted to pkcs12 format above
Ensure Personal Certificates is selected then click on Export/Import
Select Import Key
Key file type PKCS12
File Name the file name of the converted pkcs12 format above
Location where you put the file
Click OK – you will be prompted for a password – use the one you set when you did the conversion ( which should also be the same as the keystore password you are putting it in )
If you get a message “The specified database has been corrupted” ensure you have installed the unrestricted JCE policy files above. If you have to install them you need to exit ikeyman and restart it again.
You should now get a dialog asking if you would like to change any of these labels before completeing the import process
Click on the label ( which is probably a very long string ) and then change it to something like prod-cert ( this is the name you will use in the httpd.conf file )
Click apply
Click OK ( you may have to scroll to the right to see the OK button )
If you now get an error An attempt to import the certificate has failed.
All the signer certificates must exist in the key database
This probably means that you need to install the Verisign intermediate signers certificate.
Assuming it is a standard Verisign site certifiacate ( class 3 ) then go here :-
Cut and paste the certificate into a file and save with a .arm extension
Go into ikeyman and open the keystore as above
Select Signer Certificates
Click add
Data type Base64-encoded ASCII data
Certificate file name the name of the arm file you created above
Location the location of the arm file
Click OK
Enter a label for the certificate – choose something like Verisign intermediate CA cert
Click OK
Now select Personal Certificates and import the converted PKCS12 SSL certificate using the intructions as before.
Adding the certificate to the httpd.conf file
vi /usr/IBMHTTPServer6/conf/httpd.conf
search for SSLServerCert and change the name of the certificate to the name you chose when you added the certificate to the key store e.g. prod-cert
Restart apache