I saw the same problem earlier today.
This time around, the problem was simpler to resolve.
I'd previously created a Certificate Request: -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2
Alas, I had to re-run the Cert. Req. process because the first certificate had failed validation, within a browser ( IE 11 ), because I'd neglected to include the Service Name ( aka VIP ) in the Subject Alternate Name (SAN) field.
For the record, this tied up with an issue I saw last year: -
So I re-ran the Cert. Req. process
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2,ibmbpm.uk.ibm.com
Alas, this failed: -
CTGSK3039W Certificate request "ibmbpm.uk.ibm.com" could not be created.
After some trial, a bit of error, and some success …. I found the solution.
The problem was that, whilst this was a newish Certificate Request ( I no longer had any Cert Reqs in the KDB ) : -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -list -db /opt/ibm/HTTPServer/ssl/keystore.kdb -stashed
No certificate requests were found
No certificate requests were found
the label field used in the Certificate Request is more important than I'd realised.
In essence, the certificate that I added to the KDB as a result of the Cert. Req. was still in the KDB, with the same label - ibmbpm.uk.ibm.com.
I proved this by creating a Cert. Req. with a different label: -
/opt/ibm/HTTPServer/bin/gskcapicmd -certreq -create - db /opt/ibm/HTTPServer/ssl/keystore.kdb -pw passw0rd -label ibmbpm.uk.ibm.com2 -dn "CN=ibmbpm.uk.ibm.com,O=middleware,OU=IBM,L=Hursley,S=Hampshire,C=UK" -file /home/wasadmin/ibmbpm.uk.ibm.com.req -size 2048 -sigalg SHA256WithRSA -san_dnsname ihs1.uk.ibm.com,ihs1,ihs2.uk.ibm.com,ihs2,ibmbpm.uk.ibm.com
Having realised this, I removed the certificate from the KDB, re-ran the Cert. Req. process using the original label, and we're all good to go.
No comments:
Post a Comment