I'm working through a process to have IBM HTTP Server (IHS) and WebSphere Application Server (WAS) use certificates minted by a Certificate Authority, specifically Microsoft Windows Server 2008, rather than using so-called self-signed certificates.
In the past, the bulk of my experience has been using self-signed certificates in IHS, although I did do some work with a client ~4-5 years ago where we were using CA-signed certificates.
Equally, I've only ever had WAS act as a certificate signer, which has been the default for ages. In this regard, WAS is the signer, and takes care of issuing and replacing certificates throughout the cell.
However, on my current project, we have a requirement to use CA-signed certificates throughout the estate.
Therefore, whilst I've made some great progress with WAS using Windows CA-signed certificates ( about which I'll blog later ), I did hit a roadblock with IHS.
I started by creating a Certificate Signer Request (CSR) as follows: -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA
and sent the resulting wasdemo.uk.ibm.com.arm file to my Windows Server box.
Once I'd created the certificate, I got back a file from the CA in the PKCS7 format - certnew.p7b.
Initially I imported this file into IHS' key store, I was able to list it: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
which was fine.
I then set the certificate to be the default: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
However, when I attempted to validate that the certificate was default, I still saw this: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
and, worse still, this was what I saw when I queried the default certificate within the key store: -
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
CTGSK3029W The database does not contain a certificate with label "GSKCAPICMD_TXT_DEFAULT"
-Command usage-
-db Required
-pw | -stashed Optional
-type Optional <cms | kdb | pkcs12 | p12>
Long story short, it was a PEBCAK.
-Command usage-
-db Required
-pw | -stashed Optional
-type Optional <cms | kdb | pkcs12 | p12>
Long story short, it was a PEBCAK.
I was doing it wrong ....
This was what I should've done ....
Take it from the top ....
Create the Keystore
/opt/ibm/HTTPServer/bin/gskcapicmd -keydb -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -type cms -expire 3650 -stash
Create the CSR
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA
List the Certificates - of which there should be none
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
No certificates were found.
Add the root certificate ( obtained from the Windows box )
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file certnew.cer -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show the root certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Create the CSR
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label wasdemo.uk.ibm.com -dn cn=wasdemo.uk.ibm.com -file /home/wasadmin/wasdemo.uk.ibm.com.arm -size 2048 -sigalg SHA256WithRSA
List the Certificates - of which there should be none
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
No certificates were found.
Add the root certificate ( obtained from the Windows box )
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file certnew.cer -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show the root certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Note the symbol ( ! ) to show that the root certificate is trusted
Receive the Personal Certificate for IHS
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file certnew.p7b -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show both certificates
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Note the symbol ( ! ) to show that the root certificate is trusted
Receive the Personal Certificate for IHS
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -receive -file certnew.p7b -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show both certificates
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
- wasdemo.uk.ibm.com
Note the symbol ( - ) to show that the certificate is personal
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
- wasdemo.uk.ibm.com
Note the symbol ( - ) to show that the certificate is personal
Also note that the the personal certificate is NOT shown as default - it has no asterisk ( * ) symbol next to it
Set the personal certificate to be default
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show trusted root and default personal certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Set the personal certificate to be default
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -setdefault -label wasdemo.uk.ibm.com -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
List the Certificates - should now show trusted root and default personal certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
*- wasdemo.uk.ibm.com
Validate the Default Certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
* default, - personal, ! trusted, # secret key
! CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
*- wasdemo.uk.ibm.com
Validate the Default Certificate
/opt/ibm/HTTPServer/bin/gskcapicmd -cert -getdefault -db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd
Label : wasdemo.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 125e65d100000000001d
Issuer : CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Subject : CN=wasdemo.uk.ibm.com
Not Before : 17 October 2015 19:32:02 GMT+01:00
Not After : 16 October 2017 19:32:02 GMT+01:00
Fingerprint :
b6c9614bd8f7c6747040b9d5450d143d
a028d430
Key Size : 2048
Version : X509 V3
Serial : 125e65d100000000001d
Issuer : CN=uk-WIN-AJ9S32NP29C-CA,DC=uk,DC=ibm,DC=com
Subject : CN=wasdemo.uk.ibm.com
Not Before : 17 October 2015 19:32:02 GMT+01:00
Not After : 16 October 2017 19:32:02 GMT+01:00
Fingerprint :
b6c9614bd8f7c6747040b9d5450d143d
a028d430
Now when I start IHS and access it via Internet Explorer from the Windows server itself: -
it all works and, more importantly, the browser trusts IHS and doesn't show any exceptions re untrusted certificates.
Which is nice ...
2 comments:
I realize this is very old, but I'm having an issue with adding a cert and making it the default. Apparently they have deprecated the -setdefault command and it can no long be used! Docs say to "Use the explicit label of the desired certificate/key instead.". Not sure what that means, so hoping you've come across needing to do this?
SSLC Certificate Apostille
The SSLC certificate Apostille is a confirmation granted to SSLC certificate to make certificate eligible for attaining International purposes. SSLC certificate is an expansion of Secondary School Leaving Certificate, it issued at the last of 10th class and after passing board exam conducted by the government. SSLC certificate have a significant importance in the Indian territory, because it is the first basic qualification of an Indian citizen.
✅SSLC Certificate Attestation
To apply this certificate beyond the Indian boundaries the applicant should take the intended countries legal approval. And the intended country is a part of Hague convention must recommends Apostille verification for SSLC certificate. Original SSLC certificate and passport copy of the applicant are two essential requirements needed for this attestation. It will help the certificate holders to obtain their dreamy needs from the particular destination country.
Some common purposes of SSLC Certificate Apostille are :
1. It is needed for getting destination country’s resident visa.
2. It is required for obtaining a reputed job from the Hague convention country.
3. Higher education is also a purpose of this certification.
4. This Apostille attestation is also required for migration purposes.
Through this certification embassy official can ensure that the custodian of records carries the original document. Apostille authentication applicable in every field of International communication like Educational, Medical, Non-Educational, business field, etc. Once you got an Apostille your certificates become automatically applicable anywhere in the destination country. This process will increase the reachability of the SSLC certificate and it will help the certificate holder to easily access his/her needs.
In simple words, this confirmation is a gateway to your destination country. The main aim of Apostille authentication is to restrict the use of unauthorized certificates inside the Hague convention countries. This process will provide more safety and reliability to the SSLC certificate. This procedure will make your international travel easy without other complications. Non member countries of the Hague convention come under attestation process.
Post a Comment