Topic
9 replies Latest Post - ‏2012-06-01T15:32:49Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts
ACCEPTED ANSWER

Pinned topic IBM WAS 6.1 and SSL Digital Cert questions

‏2012-05-26T15:39:05Z |
The purpose is for the SSL Web access
I encounted a problem when i try to import a cert through ikeyman tools.

Existing Material:
1. JKS File (sent to CA Org)
2. .crt from CA Org
Problem:

IBM WAS seems only can import .p12 cert (Not support .crt format)

It seems need to convert the .crt to .p12 format

Online Tools
https://www.sslshopper.com/ssl-converter.html
I found this tools to convert it

OpenSSL:
openssl pkcs12 -export -in your_server_certificate.crt -out mapped_shared_location\server_cert.p12 -inkey your_server_private_key.key -name ibmhttp

Note: Note the location of the file server_cert.p12. This is the PKCS12 formatted file that is imported into the IBM SSL Key Management store

But above solution need to have a "private Key"
How can I find this private key?

Thanks

Tony
Updated on 2012-06-01T15:32:49Z at 2012-06-01T15:32:49Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: IBM WAS 6.1 and SSL Digital Cert questions

    ‏2012-05-26T16:48:21Z  in response to SystemAdmin
    > But above solution need to have a "private Key"
    > How can I find this private key?

    The private key is created when you create a CSR. When the certificate is issued and you get a *.crt from the CA, you "receive" it, not "import" it in Ikeyman terms.
    • SystemAdmin
      SystemAdmin
      3908 Posts
      ACCEPTED ANSWER

      Re: IBM WAS 6.1 and SSL Digital Cert questions

      ‏2012-05-26T17:17:03Z  in response to SystemAdmin
      Thanks for your reply, Eric,

      I use the following guide to generate the CSR:
      http://www.digicert.com/csr-creation-ibm-websphere.htm
      When i try to receive the cert which is provide from the CA.
      Is it any method to find the private key?

      When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

      It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
      Sorry, it is in Chinese, so i try to translate this error message

      Tony
      • SystemAdmin
        SystemAdmin
        3908 Posts
        ACCEPTED ANSWER

        Re: IBM WAS 6.1 and SSL Digital Cert questions

        ‏2012-05-26T17:56:57Z  in response to SystemAdmin
        > TonySin wrote:
        > Thanks for your reply, Eric,
        >
        > I use the following guide to generate the CSR:
        > http://www.digicert.com/csr-creation-ibm-websphere.htm
        >
        >
        > When i try to receive the cert which is provide from the CA.
        > Is it any method to find the private key?
        >
        > When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

        Import and Receive are different. Import does not prompt you for .cer/arm, but receive would
        > It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
        > Sorry, it is in Chinese, so i try to translate this error message

        There's only one FAQ matching that.

        http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#CERTREQNOTFOUND
        • SystemAdmin
          SystemAdmin
          3908 Posts
          ACCEPTED ANSWER

          Re: IBM WAS 6.1 and SSL Digital Cert questions

          ‏2012-05-27T05:03:19Z  in response to SystemAdmin
          > When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

          Import and Receive are different. Import does not prompt you for .cer/arm, but receive would
          <-- yes, it is my typo, i mean "import", it only can import .cer/arm.

          When i try to choose my .crt, it shows error something like "Receive the cert error, the cert. request is not in the key datastore"

          > It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
          > Sorry, it is in Chinese, so i try to translate this error message

          There's only one FAQ matching that.

          http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_certificate_doc.html#CERTREQNOTFOUND

          Should be this error

          Ikeyman: Certificate Request Not Found

          Certificates can only be received into the KDB where the request was originally created. Attempting to duplicate the parameters of a previously submitted certificate request in a new KDB will not allow you to receive the certificate in the new KDB..
          Solution: Receive certificate into the KDB that made original request or resubmit certificate request.

          Should I generate a new CSR and submit it again?

          There is our CA instruction
          http://www.digicert.com/csr-creation-ibm-websphere.htm

          Does it need to have anymore additional procedure?
          Thanks

          Tony
          • Sunit
            Sunit
            176 Posts
            ACCEPTED ANSWER

            Re: IBM WAS 6.1 and SSL Digital Cert questions

            ‏2012-05-29T13:31:34Z  in response to SystemAdmin
            If you created a request to be sent to CA for a new certificate then you should see that request in the "Personal Certificate Request". If you do not then you will get the message like "matching request not found".

            If you see the request then go to the "Personal Certificates" tab and click on receive and the point to the file you received from your CA.

            If you do not see the request in your database then you should generate a new request, send it to CA, get the file back from CA and then receive it in your database.

            • Sunit
            • SystemAdmin
              SystemAdmin
              3908 Posts
              ACCEPTED ANSWER

              Re: IBM WAS 6.1 and SSL Digital Cert questions

              ‏2012-05-30T15:14:25Z  in response to Sunit
              Thanks Sunit,

              I recreate a CSR and it can "Receive" and view the cert.

              Is it means imported it successfully?

              Thanks

              Tony
              • Sunit
                Sunit
                176 Posts
                ACCEPTED ANSWER

                Re: IBM WAS 6.1 and SSL Digital Cert questions

                ‏2012-05-30T22:19:08Z  in response to SystemAdmin
                Once you receive the certificate from CA, you should be able to view it in the personal certificates tab. Once it is there it is ready for use.

                • Sunit
      • SystemAdmin
        SystemAdmin
        3908 Posts
        ACCEPTED ANSWER

        Re: IBM WAS 6.1 and SSL Digital Cert questions

        ‏2012-05-26T18:06:19Z  in response to SystemAdmin
        Thanks for your reply, Eric,

        Revised:

        I use the following guide to generate the CSR:
        http://www.digicert.com/csr-creation-ibm-websphere.htm

        Is it any method to find the private key? In the whole procedure, I only get a .arm , .jks file

        When i try to receive the cert which is provide from the CA.

        When I press "Import" -> It only can choose .cer/ .arm files-> and then i browse all type of file and choose my cert (.crt)

        It shows a error something like "Receive the cert error, the cert. request is not in the key datastore"
        Sorry, it is in Chinese, so i try to translate this error message

        Tony