IBM® HTTP server certificate management

Edit online

The iKeyman utility or the gskcmd command utility can be used to create a self-signed server certificate.

The certificate is used by the SSL protocol when it secures communications between clients and the application server. Self-signed server certificates can be also used when you act as your own CA for a private web network or for benchmark application testing purposes.

Example of creating a self-signed server certificate using the gskcmd command utility:

# gskcmd -cert -create -size 4096 -dn "CN=wasnode1.net,O=IBM,C=DE" -label 
ihscert -crypto /usr/lib/pkcs11/PKCS11_API.so64 -tokenlabel IBMICATOK -pw XXXX

The command creates a self-signed server certificate ihscert with 4096-bit key size. It is stored in the PKCS#11 cryptographic ICA token with the label IBMICATOK. The password XXX is the user pin specified when the ICA token is initialized, see Configuring the PKCS#11 cryptographic ICA token

Display the self-signed server certificate using the gskcmd command utility:

# gskcmd -cert -details -label ihscert -crypto /usr/lib/pkcs11/PKCS11_API.so64 
-tokenlabel IBMICATOK -pw XXXX 
Label: ihscert 
Key Size: 4096 
Version: X509 V3 
Serial Number: 50 3B 61 E9 
Issued by: CN=wasnode1.net, O=IBM, C=DE 
Subject: CN=wasnode1.net, O=IBM, C=DE 
Valid: From: Monday, 27 August 2012 14:02:49 o'clock CEST 
To: Tuesday, 27 August 2013 14:02:49 o'clock CEST 
Fingerprint: 9D:FC:17:90:4B:59:39:52:20:D9:F6:22:3E:D1:48:4F:1A:B0:13:3D 
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5) 
Trust Status: enabled

The gkscmd command displays the self-signed certificate stored in the PKCS#11 ICA token.

IBM HTTP server (IHS) signer certificates are stored in a Certificate Management Services (CMS) key store created with the GSKit installed with IHS.

So the next step is to create a CMS keystore for the signer certificates.

The password for the keystore should be saved in a password file by using the -stash option. This is required for the IHS SSL configuration later on. Choose an appropriate directory location for the CMS keystore. The command generates three files.

Create a CMS keystore for signer certificates:

# gskcmd -keydb -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw 1234 
-type cms -expire 999 -stash

# ls /opt/IBM/HTTPServer/ssl 
key.kdb  key.rdb  key.sth