www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 22 Next »

Refer to Apache and SSL Certificates for conceptual references.

Once installed, IHS includes a tool for working with SSL Certificates called IBM's Key Management Utility which IBM also refers to as GSKIT and generally referred to as iKeyman.

Something that I have not tried yet but should work in theory. To make things easier, use the open ssl command line tools to generate the CSR. When the CA gives back the signed request, generate a P12. Make sure to also include the private key somehow. Then you should be able to import into IHS and delete the old certificate.

 

Verify Version

Most current installs should be fine. However, you should still ensure that the iKeyman packaged with IHS can start and is the minimal version for 2048 certificates. 2048 is now becoming the minimal standard for Web certificates.

To start iKeyman regardless of the environment you must specify a JAVAHOME which points to a version of Java with JCE. IBM should have packaged the right version of java for you. On Windows, use the icon from the start menu which does this for you.

I actually don't remember why I have these instructions actually.

... not sure if needed START ...

Go the command line and issue the following commands,

E:\
cd opt\IBMIHS\gsk7\bin
set JAVA_HOME=E:\opt\IBMIHS\java\jre
gsk7ikm.exe

... not sure if needed END ...

Which should launch iKeyman. Click Help and then About iKeyman and confirm the version to be higher than 7.0.3.18.

Create Key Database File

IBM uses the concept of a Key Database File to protect the certificate private key. The first step is to create an empty key database file using the Key Management Utility also known as iKeyman.

  1. Key Database File
  2. New
  3. Key database type = CMS (can explain more about the format... later but CMS if standard)
  4. File Name = krypton.kdb
  5. Browser... = C:\opt\IBMIHS\keys\

You will the Password Prompt window appears check Stash password to a file. Enter in a password which will from now on be used to protect the key database file and click OK.

Stashing the password will keep the password with IHS. This means that IHS will be able to be stopped and started without requiring you to enter in the password to the key database file every time.

Generate CSR for Web Server

Confirm your key database file is loaded. The iKeyman window should now show,

DB-Type: CMS
File Name: C:\opt\IBMIHS\keys\krypton.kdb

Next generate the CSR as follows,

  1. In the middle of the iKeyman Window locate a section called Key database content.
  2. Change the Key database content drop down from the default, Signer Certificates to Personal Certificate Requests.
  3. Create
  4. New Certificate Request...

At the Create New Key and Certificate Request window fill in the details. Here is an example,

Key Label = www.krypton.com-2012-03-13
Key Size = 2048
Signature Algorithm = SHA1WithRSA
Common Name = www.krypton.com
Organization = Acme
Organizational Unit = Publishing
Locality = Toronto
State/Province = ON
Zipcode =
Country or region = CA

Key Label is the name that shows up in the key store file and is arbitrary. It is recommended to use the domain name since it is unique combined with the date the CSR is created. this is because most CAs do not support certificate renewals. During the certificate renewal exercise you will need to create a new CSR while maintaining the original key store.

Key Size is set to 2048. Most modern CAs will not accept less than 2048.

Common Name though it is marked as optional is technically not. It must be the domain name of your website.

Note the location and file name of the certificate request. Change the default name, or you may end up overwriting previous other certificate requests. In this example it would be C:\opt\IBMIHS\keys\www.krypton.com-2012-03-13.arm.

Click OK.

Upon success you will see the following message,

A new certificate reqweuest has been successfully created in the file: C:\opt\IBMIHS\keys\krypton.arm. You must send the file to a certification authority to request a certificate.

You will now see your certificate request as an item in the Key database content section.

You can now exit iKeyman.

Verify CSR

...

Backup Private Key

...

Submit CSR

Send the arm file to your Certificate Authority.

Warning About the IBM Key Management Utility

At this stage you have generated a CRS which in turn generated a Private Key stored in your key database file krypton.kdb.

Before using the Key Management Utility on an existing database file which already contains keys, you should be aware that it has quite a few quirks. The most dangerous of them being that the Key Management Utility saves to the Key Database File arbitrary depending on your action and saves things across multiple files.

It is strongly recommended to backup the complete set together. In this example that would be all files krypton.* and not just krypton.kdb.

I have personally have had to recreate certificates from scratch due to improper backups.

Import Private Key

...

References

Has good steps and pictures - http://www-01.ibm.com/support/docview.wss?uid=swg21006430

  • No labels