Topic
  • 9 replies
  • Latest Post - ‏2012-06-01T15:32:49Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts

Pinned topic IBM WAS 6.1 and SSL Digital Cert questions

‏2012-05-26T15:39:05Z |
The purpose is for the SSL Web access
I encounted a problem when i try to import a cert through ikeyman tools.

Existing Material:
1. JKS File (sent to CA Org)
2. .crt from CA Org
Problem:

IBM WAS seems only can import .p12 cert (Not support .crt format)

It seems need to convert the .crt to .p12 format

Online Tools
https://www.sslshopper.com/ssl-converter.html
I found this tools to convert it

OpenSSL:
openssl pkcs12 -export -in your_server_certificate.crt -out mapped_shared_location\server_cert.p12 -inkey your_server_private_key.key -name ibmhttp

Note: Note the location of the file server_cert.p12. This is the PKCS12 formatted file that is imported into the IBM SSL Key Management store

But above solution need to have a "private Key"
How can I find this private key?

Thanks

Tony
Updated on 2012-06-01T15:32:49Z at 2012-06-01T15:32:49Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-26T16:48:21Z  
    > But above solution need to have a "private Key"
    > How can I find this private key?

    The private key is created when you create a CSR. When the certificate is issued and you get a *.crt from the CA, you "receive" it, not "import" it in Ikeyman terms.
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-26T17:17:03Z  
    > But above solution need to have a "private Key"
    > How can I find this private key?

    The private key is created when you create a CSR. When the certificate is issued and you get a *.crt from the CA, you "receive" it, not "import" it in Ikeyman terms.
    Thanks for your reply, Eric,

    I use the following guide to generate the CSR:
    http://www.digicert.com/csr-creation-ibm-websphere.htm
    When i try to receive the cert which is provide from the CA.
    Is it any method to find the private key?

    When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    Sorry, it is in Chinese, so i try to translate this error message

    Tony
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-26T17:56:57Z  
    Thanks for your reply, Eric,

    I use the following guide to generate the CSR:
    http://www.digicert.com/csr-creation-ibm-websphere.htm
    When i try to receive the cert which is provide from the CA.
    Is it any method to find the private key?

    When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    Sorry, it is in Chinese, so i try to translate this error message

    Tony
    > TonySin wrote:
    > Thanks for your reply, Eric,
    >
    > I use the following guide to generate the CSR:
    > http://www.digicert.com/csr-creation-ibm-websphere.htm
    >
    >
    > When i try to receive the cert which is provide from the CA.
    > Is it any method to find the private key?
    >
    > When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    Import and Receive are different. Import does not prompt you for .cer/arm, but receive would
    > It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    > Sorry, it is in Chinese, so i try to translate this error message

    There's only one FAQ matching that.

    http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#CERTREQNOTFOUND
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-26T18:06:19Z  
    Thanks for your reply, Eric,

    I use the following guide to generate the CSR:
    http://www.digicert.com/csr-creation-ibm-websphere.htm
    When i try to receive the cert which is provide from the CA.
    Is it any method to find the private key?

    When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    Sorry, it is in Chinese, so i try to translate this error message

    Tony
    Thanks for your reply, Eric,

    Revised:

    I use the following guide to generate the CSR:
    http://www.digicert.com/csr-creation-ibm-websphere.htm

    Is it any method to find the private key? In the whole procedure, I only get a .arm , .jks file

    When i try to receive the cert which is provide from the CA.

    When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    Sorry, it is in Chinese, so i try to translate this error message

    Tony
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-27T05:03:19Z  
    > TonySin wrote:
    > Thanks for your reply, Eric,
    >
    > I use the following guide to generate the CSR:
    > http://www.digicert.com/csr-creation-ibm-websphere.htm
    >
    >
    > When i try to receive the cert which is provide from the CA.
    > Is it any method to find the private key?
    >
    > When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    Import and Receive are different. Import does not prompt you for .cer/arm, but receive would
    > It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    > Sorry, it is in Chinese, so i try to translate this error message

    There's only one FAQ matching that.

    http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#CERTREQNOTFOUND
    > When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    Import and Receive are different. Import does not prompt you for .cer/arm, but receive would
    <-- yes, it is my typo, i mean "import", it only can import .cer/arm.

    When i try to choose my .crt, it shows error something like "Receive the cert error, the cert. request is not in the key datastore"

    > It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    > Sorry, it is in Chinese, so i try to translate this error message

    There's only one FAQ matching that.

    http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#CERTREQNOTFOUND

    Should be this error

    Ikeyman: Certificate Request Not Found

    Certificates can only be received into the KDB where the request was originally created. Attempting to duplicate the parameters of a previously submitted certificate request in a new KDB will not allow you to receive the certificate in the new KDB..
    Solution: Receive certificate into the KDB that made original request or resubmit certificate request.

    Should I generate a new CSR and submit it again?

    There is our CA instruction
    http://www.digicert.com/csr-creation-ibm-websphere.htm

    Does it need to have anymore additional procedure?
    Thanks

    Tony
  • Sunit
    Sunit
    199 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-29T13:31:34Z  
    > When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

    Import and Receive are different. Import does not prompt you for .cer/arm, but receive would
    <-- yes, it is my typo, i mean "import", it only can import .cer/arm.

    When i try to choose my .crt, it shows error something like "Receive the cert error, the cert. request is not in the key datastore"

    > It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
    > Sorry, it is in Chinese, so i try to translate this error message

    There's only one FAQ matching that.

    http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#CERTREQNOTFOUND

    Should be this error

    Ikeyman: Certificate Request Not Found

    Certificates can only be received into the KDB where the request was originally created. Attempting to duplicate the parameters of a previously submitted certificate request in a new KDB will not allow you to receive the certificate in the new KDB..
    Solution: Receive certificate into the KDB that made original request or resubmit certificate request.

    Should I generate a new CSR and submit it again?

    There is our CA instruction
    http://www.digicert.com/csr-creation-ibm-websphere.htm

    Does it need to have anymore additional procedure?
    Thanks

    Tony
    If you created a request to be sent to CA for a new certificate then you should see that request in the "Personal Certificate Request". If you do not then you will get the message like "matching request not found".

    If you see the request then go to the "Personal Certificates" tab and click on receive and the point to the file you received from your CA.

    If you do not see the request in your database then you should generate a new request, send it to CA, get the file back from CA and then receive it in your database.

    • Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-30T15:14:25Z  
    • Sunit
    • ‏2012-05-29T13:31:34Z
    If you created a request to be sent to CA for a new certificate then you should see that request in the "Personal Certificate Request". If you do not then you will get the message like "matching request not found".

    If you see the request then go to the "Personal Certificates" tab and click on receive and the point to the file you received from your CA.

    If you do not see the request in your database then you should generate a new request, send it to CA, get the file back from CA and then receive it in your database.

    • Sunit
    Thanks Sunit,

    I recreate a CSR and it can "Receive" and view the cert.

    Is it means imported it successfully?

    Thanks

    Tony
  • Sunit
    Sunit
    199 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-30T22:19:08Z  
    Thanks Sunit,

    I recreate a CSR and it can "Receive" and view the cert.

    Is it means imported it successfully?

    Thanks

    Tony
    Once you receive the certificate from CA, you should be able to view it in the personal certificates tab. Once it is there it is ready for use.

    • Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-06-01T15:32:49Z  
    • Sunit
    • ‏2012-05-30T22:19:08Z
    Once you receive the certificate from CA, you should be able to view it in the personal certificates tab. Once it is there it is ready for use.

    • Sunit
    Thanks