You really should avoid using self-signed certificates in a production environment, bearing in mind that they typically expire within a year, and that they have not been signed by a certificate authority.
In addition, bear in mind that, by default, IHS only supports 1024-bit certificates UNLESS you choose to download/apply the unrestricted JCE policy files, as described in this Technote: -
Problem(Abstract)
The error "The specified database has been corrupted" is received when importing a pkcs12 file generated by openssl, into a jks file within ikeyman.
Symptom
If ikeyman throws "The specified database has been corrupted" error during import, chances are the pkcs12 file uses an encryption method that is not available in the default JCE policy files provided by the Java used by ikeyman.
The error "The specified database has been corrupted" is received when importing a pkcs12 file generated by openssl, into a jks file within ikeyman.
Symptom
If ikeyman throws "The specified database has been corrupted" error during import, chances are the pkcs12 file uses an encryption method that is not available in the default JCE policy files provided by the Java used by ikeyman.
Having accepted that this is for a non-production environment, and that you're happy with self-signed certificates, here's a quick crib sheet: -
Create the SSL keystore
$ mkdir /opt/IBM/HTTPServer/ssl
$ /opt/IBM/HTTPServer/java/jre/bin/java com.ibm.gsk.ikeyman.ikeycmd -keydb -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd -type cms -stash
Create the self-signed certificate ( default expiration is 12 months; I could have extended this had I chosen )
$ /opt/IBM/HTTPServer/java/jre/bin/java com.ibm.gsk.ikeyman.ikeycmd -cert -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd -size 1024 -dn "CN=ic301.uk.ibm.com,O=ibm" -label "ic301.uk.ibm.com" -default_cert yes
List the certificate(s) in the keystore
$ /opt/IBM/HTTPServer/bin/gsk7cmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd
Certificates in database /opt/IBM/HTTPServer/ssl/key.kdb:
ic301.uk.ibm.com
List the certificate(s) in the keystore showing more detail, including default/trusted
$ /opt/IBM/HTTPServer/bin/gsk7capicmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd
/opt/IBM/HTTPServer/gsk7/bin/gsk7capicmd: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory
Ooops - missing library :-)
$ yum install libstdc++.so.5
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package compat-libstdc++-33.i686 0:3.2.3-69.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================
Installing:
compat-libstdc++-33 i686 3.2.3-69.el6 rhel-x86_64-server-6 189 k
Transaction Summary
============================================================================================================================================================================================================
Install 1 Package(s)
Total download size: 189 k
Installed size: 0
Is this ok [y/N]: y
Downloading Packages:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm | 189 kB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : compat-libstdc++-33-3.2.3-69.el6.i686 1/1
Installed products updated.
Verifying : compat-libstdc++-33-3.2.3-69.el6.i686 1/1
Installed:
compat-libstdc++-33.i686 0:3.2.3-69.el6
Complete!
Try again
$ /opt/IBM/HTTPServer/bin/gsk7capicmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw Passw0rd
Certificates found:
* default, - has private key, ! trusted
*-! ic301.uk.ibm.com
The job, she is a good 'un !!
*UPDATE 10 January 2013*
Note that the above point re 1024 bit certificates is relevant to IHS 7 and previous versions. IHS 8 natively supports 2048 bit certificates. Additionally, in IHS 8, the GSK command has been renamed to gskcapicmd.
*UPDATE 10 January 2013*
Note that the above point re 1024 bit certificates is relevant to IHS 7 and previous versions. IHS 8 natively supports 2048 bit certificates. Additionally, in IHS 8, the GSK command has been renamed to gskcapicmd.
No comments:
Post a Comment