With thanks to Mike Whale and his excellent blog post here: -
from which I have ripped stolen reused this content.
This article describes how to create a SSL Certificate Authority using IBM HTTP Server 8.0.0.5, and then generate and use certificates signed by this CA. Alternatively, an organisation would go to a public CA such as Verisign, or they'd have their own internal CA.
Create a CA keystore
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db CA.jks -type jks
Create a CA
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db CA.jks -label myca -dn "cn=test,o=IBM" -ca true
Create a client keystore
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db client.jks -type jks
Create a CSR
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -certreq -create -db client.jks -label clientcert -file /tmp/certreq.arm -dn "cn=clienttest,o=IBM"
Sign the CSR using the CA
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -sign -db CA.jks -label myca -file /tmp/certreq.arm
Import the signed certificate into the client keystore
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -receive -db client.jks -file cert.arm
Extract the root CA certificate from the CA keystore
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -extract -db CA.jks -label myca -target test.cer -type jks
Import the root CA certificate into the client keystore
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.jks -label myca -file test.cer
Convert the client keystore into KDB ( PKCS12 ) format in order to allow password to be stashed ( required for IHS to use keystore )
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -convert -db client.jks -pw passw0rd -target client.kdb -new_pw passw0rd -old_format jks -new_format kdb -stash
Note: The only reason that I chose to create the keystore in JKS format was to follow Mike's instructions - I could've simplified things by creating the keystore in KDB format from the outset.
Start IHS
/opt/IBM/HTTPServer/bin/apachectl -k restart -f /opt/IBM/HTTPServer/confext/httpd.conf
NOTE: -
If you see: -
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
in Chrome or: -
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
in Firefox, and see: -
[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd6c0028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60917 -> 192.168.8.162:8443] [12:52:31.320280]
[Tue Apr 16 12:52:31 2013] [error] [client 192.168.8.1] [7fcd700028d0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60919 -> 192.168.8.162:8443] [12:52:31.434908]
[Tue Apr 16 12:52:53 2013] [error] [client 192.168.8.1] [1d8fd90] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60940 -> 192.168.8.162:8443] [12:52:53.449571]
[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60944 -> 192.168.8.162:8443] [12:52:59.432844]
[Tue Apr 16 12:52:59 2013] [error] [client 192.168.8.1] [7fcd600093c0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60943 -> 192.168.8.162:8443] [12:52:59.433801]
[Tue Apr 16 12:54:31 2013] [error] [client 192.168.8.1] [7fcd740128b0] [25302] SSL0223E: SSL Handshake Failed, No certificate. [192.168.8.1:60961 -> 192.168.8.162:8443] [12:54:31.636000]
etc.
in IHS error.log, then you don't have a default certificate set: -
Listing certificates to confirm what is default / trusted
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb
Certificates found
* default, - personal, ! trusted
! myca
- clientcert
Set the clientcert certificate as default
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -setdefault -label clientcert -db client.kdb
Listing certificates to confirm what is default / trusted
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db client.kdb
Certificates found
* default, - personal, ! trusted
! myca
*- clientcert
Inspecting certificates
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db client.kdb -label clientcert
Label : myca
Key Size : 1024
Version : X509 V3
Serial : 516d3a0f
Issuer : CN=test,OU=test,O=IBM
Subject : CN=test,OU=test,O=IBM
Not Before : 16 April 2013 12:46:23 GMT+01:00
Not After : 16 April 2014 12:46:23 GMT+01:00
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 96 23 34
A0 D0 FF 7A C3 EE 5C 06 FB EF AF D2 1A DB 5F F8
4A E3 6A 8F 00 BC 95 67 4E 97 D4 B1 51 3B 68 F5
85 72 4B A8 19 72 E0 82 86 6F 08 5D F5 F0 1B 34
D2 7F F0 64 09 F8 87 B8 49 EB CF 18 D9 35 CD DE
F4 1F FE 9F 7C 32 D7 2B 9F B0 4F 42 72 FF 02 14
44 97 10 96 EC E0 34 B1 41 29 DF B8 E9 26 96 4F
0A D3 FF CB 79 61 F1 E3 E0 81 45 3A 9F 88 E6 5A
27 F8 99 A6 9C D6 3D 74 7C A8 3F 82 BB 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
F6 9A C2 43 57 D8 90 07 B1 C2 5F CC 02 9F CB D6
15 C0 5E 6C
Fingerprint : MD5 :
A6 81 9C 1E 61 7C 52 17 3D B1 D0 90 C5 84 1D 78
Fingerprint : SHA256 :
21 F0 B8 4B A9 9A C9 B4 40 E3 C3 39 1E C5 95 F0
5B D0 79 70 65 67 D1 50 C5 1C E6 9E 96 1E 5B F5
Extensions
basicConstraints
ca = true
pathLen = 2147483647
critical
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
73 1B 8A 4A FD 05 40 BE 2D 7C 3B 67 66 5D D1 7A
4F F4 4D 60 95 ED 88 81 6D 98 92 5F E4 A5 FF F0
87 D0 B5 89 F9 A6 44 78 D1 44 94 B5 7F 57 D5 C4
3B E1 6E 9B AC FE CD C9 0A 2C A8 C8 4C 13 83 B3
7C 06 B9 3E 66 94 2F ED FB 9A 9B F7 8E 6F CB FD
E9 24 2D FE 7C 6C EA CA E9 76 58 37 51 B6 7E D9
6D 59 70 2E E0 01 37 D6 E9 3B A1 C3 D3 4D 16 C9
B4 68 99 45 85 DE 03 9A 9C D7 F4 0C 1E FC 4D C8
Trust Status : Enabled
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db client.kdb -label myca
Label : clientcert
Key Size : 1024
Version : X509 V3
Serial : 516d3a27
Issuer : CN=test,OU=test,O=IBM
Subject : CN=clienttest,OU=test,O=IBM
Not Before : 16 April 2013 12:46:47 GMT+01:00
Not After : 16 April 2014 12:46:47 GMT+01:00
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 83 C5 3E
52 CF 2E 78 76 50 88 A7 5E D6 1E 7D 2A 96 F2 11
0E 4D 1F 1E D2 A0 E9 30 56 8E 69 79 BF C3 D0 8F
94 8E 0B 66 62 0A 64 46 E4 60 87 D7 E8 BF 8F 54
F2 EB 36 D0 71 18 FC 2B 72 97 B2 49 F0 12 12 4A
4A B3 F2 1F 99 50 38 BB 40 8F 41 D2 F8 FB 8E 9B
FC 0F BC 80 21 57 87 EA 05 F3 D4 DF BB D1 59 D7
4D 91 68 FF B7 BC 52 BC 12 D2 F1 C6 52 63 1D B1
49 CC 58 88 A5 E5 86 31 9B CE F3 E6 C3 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
1B 33 B7 0A 1D 33 29 F2 6E 56 81 55 92 CB 48 DC
D3 2F 16 90
Fingerprint : MD5 :
C4 64 E5 08 AA F0 AE 65 5A 7A 12 12 21 55 7C 19
Fingerprint : SHA256 :
54 A4 41 37 25 65 8F 28 FE 4B 97 37 DE 3A 4D 97
80 F4 FF C0 8D BA 92 D2 51 F8 4D 4B 69 BD BA 69
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
25 14 7A 6F D9 F2 CC E3 93 5C 8E 1C 4F 3C DC 57
C8 D3 B4 D5 51 0D C9 C7 DE 00 C8 B0 2D D8 C2 F6
50 34 97 1E 24 C8 22 D6 01 F4 DA B9 0E 1C 67 E3
EF 73 77 F6 21 32 0D 92 B3 9B 0B C1 3A 28 71 70
7D 3A 7E 7F 8F C3 BE 23 B0 74 F5 E7 20 5E 3D 01
6B 57 AC 0A 5E F6 3B 93 B6 A3 E1 6A 2E E9 29 00
4E 81 E3 D3 20 E7 86 96 C0 91 02 5D E9 86 7D 38
08 02 B1 76 3B D4 A4 C4 41 2E 91 C0 49 84 3B 81
Trust Status : Enabled
Additional Notes
For the record, here's a similar set of instructions, but using KDB ( PKCS12 ) instead of JKS from the outset, avoiding the need for conversion: -
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db CA.kdb -stash
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db CA.kdb -label myca -dn "cn=test,o=IBM" -ca true
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -keydb -create -db client.kdb -stash
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -certreq -create -db client.kdb -label clientcert -file /tmp/certreq.arm -dn "cn=clienttest,o=IBM"
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -sign -db CA.kdb -label myca -file /tmp/certreq.arm
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -receive -db client.kdb -file cert. arm
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -extract -db CA.kdb -label myca -target test.cer
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db client.kdb -label myca -file test.cer
/opt/IBM/HTTPServer/bin/apachectl -k restart -f /opt/IBM/HTTPServer/confext/httpd.conf
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -setdefault -label clientcert -db client.kdb