I'm working through a process to have IBM HTTP Server (IHS) and WebSphere Application Server (WAS) use certificates minted by a Certificate Authority, specifically Microsoft Windows Server 2008, rather than using so-called self-signed certificates.
In the past, the bulk of my experience has been using self-signed certificates in IHS, although I did do some work with a client ~4-5 years ago where we were using CA-signed certificates.
Equally, I've only ever had WAS act as a certificate signer, which has been the default for ages. In this regard, WAS is the signer, and takes care of issuing and replacing certificates throughout the cell.
However, on my current project, we have a requirement to use CA-signed certificates throughout the estate.
Therefore, whilst I've made some great progress with WAS using Windows CA-signed certificates ( about which I'll blog later ), I did hit a roadblock with IHS.
I started by creating a Certificate Signer Request (CSR) as follows: -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA
and sent the resulting wasdemo.uk.ibm.com.arm file to my Windows Server box.
Once I'd created the certificate, I got back a file from the CA in the PKCS7 format - certnew.p7b.
Initially I imported this file into IHS' key store, I was able to list it: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
which was fine.
I then set the certificate to be the default: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
However, when I attempted to validate that the certificate was default, I still saw this: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
and, worse still, this was what I saw when I queried the default certificate within the key store: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
CTGSK3029W The database does not contain a certificate with label "GSKCAPICMD_TXT_DEFAULT"
-Command usage-
-db Required
-pw | -stashed Optional
-type Optional <cms | kdb | pkcs12 | p12>
Long story short, it was a PEBCAK.
-Command usage-
-db Required
-pw | -stashed Optional
-type Optional <cms | kdb | pkcs12 | p12>
Long story short, it was a PEBCAK.
I was doing it wrong ....
This was what I should've done ....
Take it from the top ....
Create the Keystore
/opt/ibm/HTTPServer/bin/gskcapicmd -keydb -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -type cms -expire 3650 -stash
Create the CSR
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA
List the Certificates - of which there should be none
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
No certificates were found.
Add the root certificate ( obtained from the Windows box )
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file certnew.cer -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show the root certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Create the CSR
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA
List the Certificates - of which there should be none
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
No certificates were found.
Add the root certificate ( obtained from the Windows box )
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file certnew.cer -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show the root certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Note the symbol ( ! ) to show that the root certificate is trusted
Receive the Personal Certificate for IHS
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file certnew.p7b -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show both certificates
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Note the symbol ( ! ) to show that the root certificate is trusted
Receive the Personal Certificate for IHS
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file certnew.p7b -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show both certificates
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
- wasdemo.uk.ibm.com
Note the symbol ( - ) to show that the certificate is personal
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
- wasdemo.uk.ibm.com
Note the symbol ( - ) to show that the certificate is personal
Also note that the the personal certificate is NOT shown as default - it has no asterisk ( * ) symbol next to it
Set the personal certificate to be default
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show trusted root and default personal certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Set the personal certificate to be default
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show trusted root and default personal certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
*- wasdemo.uk.ibm.com
Validate the Default Certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
*- wasdemo.uk.ibm.com
Validate the Default Certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Label : wasdemo.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 125e65d100000000001d
Issuer : CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Subject : CN=wasdemo.uk.ibm.com
Not Before : 17 October 2015 19:32:02 GMT+01:00
Not After : 16 October 2017 19:32:02 GMT+01:00
Fingerprint :
b6c9614bd8f7c6747040b9d5450d143d
a028d430
Key Size : 2048
Version : X509 V3
Serial : 125e65d100000000001d
Issuer : CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Subject : CN=wasdemo.uk.ibm.com
Not Before : 17 October 2015 19:32:02 GMT+01:00
Not After : 16 October 2017 19:32:02 GMT+01:00
Fingerprint :
b6c9614bd8f7c6747040b9d5450d143d
a028d430
Now when I start IHS and access it via Internet Explorer from the Windows server itself: -
it all works and, more importantly, the browser trusts IHS and doesn't show any exceptions re untrusted certificates.
Which is nice ...
1 comment:
I realize this is very old, but I'm having an issue with adding a cert and making it the default. Apparently they have deprecated the -setdefault command and it can no long be used! Docs say to "Use the explicit label of the desired certificate/key instead.". Not sure what that means, so hoping you've come across needing to do this?
Post a Comment