Monday, 22 September 2014

IBM HTTP Server / IBM Global Security Toolkit - Commanding the line ...

One of my colleagues was looking for inspiration, without too much perspiration, in order to create an SSL/TLS Certificate Service Request (CSR) using IBM HTTP Server and the Global Security Toolkit (GSK).

He was hoping to use the GUI tool, IKeyMan, but I tried very hard to persuade him that GUIs are for WIMPs, and that the command-line tool, gskcapicmd is the way to go ( whilst IHS also has ikeycmd, that relies upon a Java Runtime Environment, which may not always be available, especially on a production IHS server ).

Specifically, he wanted to set the Subject Alternate Name (SAN).

subjectAltName (SAN) is an extension to X.509 that allows various values to be associated with a security certificate.[1] These values are called "Subject Alternative Names", or SANs. Names include:[2]

• e-mail addresses
• IP addresses
• URIs
• DNS names (Otherwise often given as a Common Name RDN within the Subject)
• directory names (alternative Distinguished Names to that given in the Subject)
• other names, given as a General Name: an registered Object identifier followed by a value

This is easily done via the ikeyman GUI: -


and my colleague wanted to know how to achieve the same using gskcapicmd.

Here's my conclusion: -

/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label foobar -dn "cn=www.foobar.ibm.com" -size 2048 -file /tmp/foobar.csr -san_dnsname "www.foobar.ibm.com" -san_emailaddr "admin@us.ibm.com" -san_ipaddr "192.168.1.221"

This results in a nice little file: -

-rw-r--r--   1 wasadmin mqm        1009 Sep 22 15:44 foobar.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICqjCCAZICAQAwHTEbMBkGA1UEAxMSd3d3LmZvb2Jhci5pYm0uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr5hUIlJdYS9b+cWOCow56g1g2Wt
sfL0OsFWtXyjPjFBDgVxFhKgXwdti9qsnb6nmb0zJMXa4s09PBQpCtTVl0p9YlAL
JZZS9kCfg8W1/LGMcud5GpjJQ8F0Jxkt7CC32YXaDIN1FfgCkjwFafb8RoJx1u2S
xDZMgOhdCCwIz4tz6CH9UhyjFv+Dpp6m05lJ9DnPfzwqaheLnvZMOH7B9jkZQdXR
QrATLy7RkHGHfYRepb+ReTiyU4jHVN9WPiieS3rv8RIj39639IeWh9erqAMBNG+z
Co/TzRRC7Nm5GonlzWozBV9QqrR2SjcLLmfmBcYlGOG24b9xJjactOIKbwIDAQAB
oEgwRgYJKoZIhvcNAQkOMTkwNzA1BgNVHREELjAsgRBhZG1pbkB1cy5pYm0uY29t
hwTAqAHdghJ3d3cuZm9vYmFyLmlibS5jb20wDQYJKoZIhvcNAQEFBQADggEBAFGi
I7umaDAWHzu7VTRbdjdmEbHiGHaojfTOSFUyP4NV8YvcgszVNVE8cEGzTcXUmcdV
/RZJv0GvPx5VGdAfgB/aQBP3Z9JekJS1VEJN9T7E5nyDqJDkobGUVUJVKjWT9lt0
YfrF6g5AQtV1uT3yvx5EkyWCG7jGOBlJOb550wGAVgMnNV32GtzP6v0z2sWUDVHR
ypuu/TaWD9iG0+M5EMVIABuUslnc2LjtTM8sr26UR2UcQJYxkcTXXHVwmaNdjlm1
AkYJfYGgMm6G4smZWfUjC43QkLhsnNkgLSiAYuzVlrn6xJZ98BzfyYgvX40RwAdN
UPKFJdZz3etLIH9+IRs=
-----END NEW CERTIFICATE REQUEST-----


which can then be sent off to the Certificate Authority (CA) for action.

Some required reading: -




No comments: