Managing keys with the IKEYMAN graphical interface (Distributed systems)
This section describes topics on how to set up and use the key management utility (IKEYMAN) with IBM® HTTP Server. Using the graphical user interface, rather than the command line interface, is recommended.
Before you begin
About this task
IBM Global Security Kit (GSKit) certificate management tools are installed in the
<ihsinst>/bin/ directory. These tools should only be run
from the installation directory. Examples for the following commands should include the full
directory path, such as <ihsinst>/bin/gskcmd.
- gskver
- ikeyman
- gskcapicmd
- gskcmd
<ihsinst>/bin/ikeyman -x
To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.
Procedure
-
Start the Key Management utility user interface.
Use IKEYMAN to create key databases, public and private key pairs, and certificate requests.
-
Work with key databases.
You can use one key database for all your key pairs and certificates, or create multiple databases.
-
Change the database password.
When you create a new key database, you specify a key database password, which protects the private key. The private key is the only key that can sign documents or decrypt messages that are encrypted with the public key. Changing the key database password frequently is a good practice.
-
Create a new key pair and certificate request.
You find key pairs and certificate requests stored in a key database.
-
Import and export your key into another database or to a PKCS12 file.
PKCS12 is a standard for securely storing private keys and certificates.
- List certificate authorities within a key database.
- Display certificate expiration date your key database by viewing the certificate information with the IKEYMAN Key Management utility GUI or using the gskcmd command.
- If you act as your own CA, you can use IKEYMAN to create self-signed certificates.
-
Receive a signed certificate from a certificate authority.
If you act as your own CA for a private Web network, you have the option to use the server CA utility to generate and issue signed certificates to clients and servers in your private network.
- Display default keys and certificate authorities within a key database.
- Store a certificate from a certificate authority (CA) that is not a trusted CA.
- Store the encrypted database password in a stash file.
- Use IKEYMAN to create key databases, public and private key pairs, and certificate requests.
- If you act as your own CA, you can use IKEYMAN to create self-signed certificates.
- If you act as your own CA for a private Web network, you have the option to use the server CA utility to generate and issue signed certificates to clients and servers in your private network.
What to do next
You may experience a certificate problem when you open a certificate that has a key with a higher
level of cryptography than your policy files permit. You can optionally install unlimited strength
JCE policy files.
- Download and install the files from the following Web site. https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk.
For more information about the IKEYMAN utility, see the IKEYMAN User's Guide on the IHS Library page.