but I finally have a much clearer idea of the problem, and the pukka solution.
When creating a self-signed SSL certificate in IHS, via a command such as: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,dc=uk,dc=ibm,c=com" -label "hostname.domain.co.uk" -default_cert yes
I'd end up with an exception: -
Initially, I thought that the problem was with the format of the Distinguished Name, so I used an escape character in front of each comma: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk\,dc=uk\,dc=ibm\,c=com" -label "hostname.domain.co.uk" -default_cert yes
which worked OK .... or so I thought.
However, when I looked at the certificate in Firefox, I noted that the Issuer contained an invalid Common Name (CN) - it actually held the DN: -
I spent a wee while digging around, and found that, if I instead used ikeycmd : -
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,o=domain,o=co,c=uk" -label "hostname.domain.co.uk" -default_cert yes
the certificate created with the correct Issuer.
Which is unusual.
I've experimented further, including: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,dc=domain,dc=co,dc=uk" -label "hostname.domain.co.uk" -default_cert yes
In other words, I continued to experiment with the format of the DN.
According to this document: -
the crucial thing is to ensure that the DN is formatted to a certain X.500 standard: -
-dn <dist_name>
The X.500 distinguished name that uniquely identifies the certificate. The input must be a quoted string of the following format (only CN is required):
For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
Multiple OU values are now supported. Simply add additional OU key\value pairs to the specified distinguished name. If the OU value requires a comma (',') then you must escape it with '\\'
For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,OU=GSKit\\, Gold Coast,L=RTP,ST=NC,C=US"
The X.500 distinguished name that uniquely identifies the certificate. The input must be a quoted string of the following format (only CN is required):
CN=common name
O=organization
OU=organization unit
L=location
ST=state, province
C=country
DC=domain component
EMAIL=email address
For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
Multiple OU values are now supported. Simply add additional OU key\value pairs to the specified distinguished name. If the OU value requires a comma (',') then you must escape it with '\\'
For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,OU=GSKit\\, Gold Coast,L=RTP,ST=NC,C=US"
Therefore, via trial and error, I've found a syntax that works for my client, and also works with GSK rather than depending upon ikeycmd, as hosting a JRE on a web server is typically a bad idea.
For evidence, please see the 39 Steps here: -
No comments:
Post a Comment