Installing Verisign SSL certificate on IBM HTTP server

Installing a Verisign SSL site certificate on IBM HTTP server

If you have an Apache certificate e.g. it was requested with an openssl signing request rather than using ikeyman then you first need to convert it to PKCS12 format which can then be imported into the IBMHTTPServer6 keystore.

openssl pkcs12 -export -out new_key_pair_filename.p12 -inkey private_key_filename.key -in certificate_filename.crt

You will get prompted for a password – you must use the same password as you have on the keystore you want to import it into.

Move the file to /usr/IBMHTTPServer6/bin
If you used strong encryption to generate the signing key request ( and you would have done ) then you may have to install the unrestricted JCE policy files.

To check :-

/usr/IBMHTTPServer6/java/jre/bin/keytool -list -v -keystore /usr/IBMHTTPServer6/bin/wbis104m.p12 -storetype pkcs12 -storepass passwd

If it barfs with java errors like :-

keytool error (likely untranslated): java.io.IOException: Private key decryption error: (java.security.InvalidKeyException: Illegal key size)

keytool error (likely untranslated): java.io.IOException: Private key decryption error: (java.lang.SecurityException: Unsupported keysize or algorithm parameter
s)

You need to install the unrestricted JCE policy files.

Download the zip file from https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk ( you need an IBM ID – this is a free registration )

unzip and after making copies of the orginals copy over the new local_policy.jar US_export_policy.jar files to /usr/IBMHTTPServer6/java/jre/lib/security

Rerun the keytool command above ( ensuring you use the full path to the keytool command ) to confirm it lists the certificate details without Java errors.

Now add it into the keystore

You need to be able to use X as the ikeyman program is GUI only.

su to root , export XAUTHORITY and DISPLAY to those of the user you su’d from.

e.g.

export XAUTHORITY=/home/fred/.Xauthority

export DISPLAY=localhost:10.0

cd /usr/IBMHTTPServer6/bin

./ikeyman

Key Database File – Open

Key Database type CMS

Location /usr/IBMHTTPServer6/keys/

File Name key.kdb

You will be prompted for the password

Now import the certificate you converted to pkcs12 format above

Ensure Personal Certificates is selected then click on Export/Import

Select Import Key

Key file type PKCS12

File Name the file name of the converted pkcs12 format above

Location where you put the file

Click OK – you will be prompted for a password – use the one you set when you did the conversion ( which should also be the same as the keystore password you are putting it in )

If you get a message “The specified database has been corrupted” ensure you have installed the unrestricted JCE policy files above. If you have to install them you need to exit ikeyman and restart it again.

You should now get a dialog asking if you would like to change any of these labels before completeing the import process

Click on the label ( which is probably a very long string ) and then change it to something like prod-cert ( this is the name you will use in the httpd.conf file )

Click apply

Click OK ( you may have to scroll to the right to see the OK button )

If you now get an error An attempt to import the certificate has failed.

All the signer certificates must exist in the key database

This probably means that you need to install the Verisign intermediate signers certificate.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

Assuming it is a standard Verisign site certifiacate ( class 3 ) then go here :-

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

Cut and paste the certificate into a file and save with a .arm extension

Go into ikeyman and open the keystore as above

Select Signer Certificates

Click add

Data type Base64-encoded ASCII data

Certificate file name the name of the arm file you created above

Location the location of the arm file

Click OK

Enter a label for the certificate – choose something like Verisign intermediate CA cert

Click OK

Now select Personal Certificates and import the converted PKCS12 SSL certificate using the intructions as before.

Adding the certificate to the httpd.conf file

vi /usr/IBMHTTPServer6/conf/httpd.conf

search for SSLServerCert and change the name of the certificate to the name you chose when you added the certificate to the key store e.g. prod-cert

Restart apache