Saturday, 17 October 2015

IBM HTTP Server - Working with Default Certificates issued by a Certificate Authority

I'm working through a process to have IBM HTTP Server (IHS) and WebSphere Application Server (WAS) use certificates minted by a Certificate Authority, specifically Microsoft Windows Server 2008, rather than using so-called self-signed certificates.

In the past, the bulk of my experience has been using self-signed certificates in IHS, although I did do some work with a client ~4-5 years ago where we were using CA-signed certificates.

Equally, I've only ever had WAS act as a certificate signer, which has been the default for ages. In this regard, WAS is the signer, and takes care of issuing and replacing certificates throughout the cell.

However, on my current project, we have a requirement to use CA-signed certificates throughout the estate.

Therefore, whilst I've made some great progress with WAS using Windows CA-signed certificates ( about which I'll blog later ), I did hit a roadblock with IHS.

I started by creating a Certificate Signer Request (CSR) as follows: -

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA

and sent the resulting wasdemo.uk.ibm.com.arm file to my Windows Server box.

Once I'd created the certificate, I got back a file from the CA in the PKCS7 format - certnew.p7b.

Initially I imported this file into IHS' key store, I was able to list it: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
- wasdemo.uk.ibm.com


which was fine.

I then set the certificate to be the default: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

However, when I attempted to validate that the certificate was default, I still saw this: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
- wasdemo.uk.ibm.com


and, worse still, this was what I saw when I queried the default certificate within the key store: -

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

CTGSK3029W The database does not contain a certificate with label "GSKCAPICMD_TXT_DEFAULT" 

-Command usage-
-db                   Required
-pw | -stashed        Optional
-type                 Optional <cms | kdb | pkcs12 | p12>

 
Long story short, it was a PEBCAK.

I was doing it wrong ....

This was what I should've done ....

Take it from the top ....

Create the Keystore

/opt/ibm/HTTPServer/bin/gskcapicmd -keydb -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -type cms -expire 3650 -stash

Create the CSR

/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA

List the Certificates - of which there should be none

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

No certificates were found.

Add the root certificate ( obtained from the Windows box )

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file certnew.cer -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

List the Certificates - should now show the root certificate

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com

Note the symbol ( ! ) to show that the root certificate is trusted

Receive the Personal Certificate for IHS

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file certnew.p7b -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

List the Certificates - should now show both certificates

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
- wasdemo.uk.ibm.com


Note the symbol ( - ) to show that the certificate is personal
Also note that the the personal certificate is NOT shown as default - it has no asterisk ( * ) symbol next to it

Set the personal certificate to be default

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

List the Certificates - should now show trusted root and default personal certificate

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
*- wasdemo.uk.ibm.com


Validate the Default Certificate

/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd

Label : wasdemo.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 125e65d100000000001d
Issuer : CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Subject : CN=wasdemo.uk.ibm.com
Not Before : 17 October 2015 19:32:02 GMT+01:00
Not After : 16 October 2017 19:32:02 GMT+01:00
Fingerprint : 
b6c9614bd8f7c6747040b9d5450d143d
a028d430


Now when I start IHS and access it via Internet Explorer from the Windows server itself: -



it all works and, more importantly, the browser trusts IHS and doesn't show any exceptions re untrusted certificates.

Which is nice ...

No comments: