Importing the CA certificate into the IBM HTTP Server keystore

You must import the certificates that you received from Certificate Authority into the IBM® HTTP Server keystore and set the trusted certificate as the default certificate in the keystore.

Procedure

  1. Upload the CA certificate, root and intermediate certificates files to the /opt/IBM/HTTPServer/cert directory on the ICFM server for single server environment, or the Core server for three-server environment.
  2. To stop the IBM HTTP Server, run the following commands as the root user on the ICFM server for single server environment or the Core server for three-server environment: 
    cd /opt/IBM/HTTPServer/bin
./apachectl stop
./adminctl stop
  3. Any truststore that is used to validate the signatures of a certificate that is obtained from this certificate authority must have these signer certificates installed.

    Upload root and intermediate signer certificates to the /opt/IBM/HTTPServer/cert directory. To import the signer certificates (from root to intermediate), run the following command for each of the root and intermediate certificates:

    ./gskcmd -cert -add -type cms -db ../cert/key.kdb -pw db_password -label
    label_name -trust enable -file ../cert/signer_cert_filename
    For example:
    cd /opt/IBM/HTTPServer/bin
./gskcmd -cert -add -type cms -db ../cert/key.kdb -pw password -label
    "carootcert" -trust enable -file ../cert/carootcert.der
  4. To verify that the signer certificates were imported successfully, run the following command: 
    ./gskcmd -cert -list -type cms -db ../cert/key.kdb -pw db_password
  5. To receive the CA certificate file into IBM HTTP Server key database, run the following command: 
    ./gskcmd -cert -receive -type cms -db ../cert/key.kdb -pw db_password -file ../cert/cert_filename -default_cert yes
    For example:
    ./gskcmd -cert -receive -type cms -db ../cert/key.kdb -pw password -file ../cert/icfmdev109ihs_cert.der -default_cert yes
  6. To verify that the CA certificate was loaded successfully, run the following command: 
    ./gskcmd -cert -list -type cms -db ../cert/key.kdb -pw db_password
    For example:
    cd /opt/IBM/HTTPServer/bin
./gskcmd -cert -list -type cms -db ../cert/key.kdb -pw password
  7. For a three-server environment, create a directory for the certificate files on the Analytics server.
    1. Create the /opt/IBM/cert_files directory on the Analytics server.
    2. Copy the contents of the /opt/IBM/HTTPServer/cert directory from the Core server to the /opt/IBM/cert_files directory on the Analytics server.
    3. Enter the following command to set directory permissions: 
      /bin/chmod -R 755 /opt/IBM/cert_files