Question & Answer
How do I migrate my Apache certificates to IBM HTTP Server?
The SSL certificate database on an Apache HTTP Server is a different format than what is used by IBM.
The process involves moving the Apache certificate into a .p12 file (PKCS12 format) to import into the IBM HTTP Server .KDB file (CMS format) key database.
|Create the P12 file|
- Use OPENSSL on the Apache HTTP Server to export the certificate. Use this OpenSSL command:
Openssl pkcs12 -export -out <new_p12_filename>.p12 -inkey <existing_filename>.key -in <certificate_filename>.crt
You will need to have the existing certificate file and key file from the Apache HTTP Server available.
- Copy <new_p12_filename>.p12 to the IBM HTTP server.
It is mandatory that the CMS key file contain the signer certificate(s) used to certify the personal certificate to be installed into the CMS key file. You will need the certificate authorities root certificate, and you might also need an intermediate certificate from the same signing authority. You can check with your certificate authority for the exact certificates needed for the personal certificate you purchased.
This openssl command can be used to determine who issued the personal certificate:
openssl x509 -noout -in <certificate_filename>.crt -issuer
From the results of this command, you might be able to determine which signer certificates to obtain from the certificate authority. Once you have these certificates, jump ahead to the section Adding the signer.
If you are unsure of the signer certificates you need, continue with the following steps:
- Search for and locate the file <certificate_filename>.crt used in the first section.
- Make a copy of it to a Microsoft Windows PC and rename the new file with a ".cer" extension.
- Double click the new file to bring up the Microsoft Windows "Certificate" panel. Within this panel, you can view the content of the certificate and its certification path.
- Select the Certification Path tab at the top of the panel. This window provides a visual view of the authentication chain. Usually, the last one listed is the personal certificate and those above represent the Signing authority.
- Select the Signing authority listed above the personal certificate.
- Below the viewing window, click View Certificate. This will bring up a new Microsoft Windows Certificate panel.
- Looking at this new panel, select the Details tab at the top. This tab provides all of the details associated with the certificate you are viewing.
- Below the viewing window, click Copy to File. This will bring up the Certificate Export Wizard.
- Follow the prompts through the wizard choosing the defaults on each panel. When prompted, provide a name for the new file. This new file will be created in a binary format with the extension of ".cer".
|Create CMS key file|
Using the IKeyman tool, create a new key database file (CMS type, .KDB file) providing the necessary name and password information when you are prompted for it. Do not forget to check the box to "Stash the password into a file?". You may of course use an existing .KDB Key file.
|Adding the signer|
- With the new key file open within IKeyman, select the Signer from the object list box.
- Click Add to bring up the Add CA's Certificate to a file dialog box. This will launch an Open dialog panel.
- Click Browse and locate the signer certificate created within the SIGNER PREPARATION section, or browse to the signer certificates provided by the certificate authority.
- Click OK to add the signer. This will bring up a new panel asking for a label.
- Enter a label for the new signer and click OK. After this, your new signer should have been added.
|Importing the personal|
- Select Personal Certificates from the object list box.
- Click Import. This will bring up the Import Key panel.
- Change the Key File Type to "PKCS12".
- Click Browse to locate the personal certificate .p12 file created from the section labeled Create the P12 file.
- Enter the password to this file when prompted and click OK. This will bring up the Change Labels panel which gives you the opportunity to change the label displayed within IKeyman. This is not mandatory, but gives you the chance to put a meaningful text against your certificate rather than keeping the cryptic-like label displayed. This is especially useful if you plan to use the SSLServerCert directive within IBM HTTP Server to specifically point authentication to one of many certificates available within a single key database file.
If at this point you receive an error similar to:
The password is invalid or the PKCS12 has been corrupted or has been created with an unsupported version of PKCS12.
Then you should update the Java™ JCE security policy files to the latest unrestricted versions.
Reference these documents:
- Unable to import a PKCS12 file that is created by IIS or other non-IBM Web server keystores into a CMS or JKS database
- Ikeyman: The specified database has been corrupted (Strong Encryption)
The updated JCE files are available here: Unrestricted JCE policy files
Notes for version 6.0:
- For IBM HTTP Server, the policy files are typically found under the following directory:
- For Plug-in, the policy files are typically found under the following directory:
- You might need to replace the 2 files at both locations.
Select the certificate listed and type in a new label. Click Apply to set the new label.
At this point, you should have a working key database file that can be used with IBM HTTP Server.
If you receive an error message stating that "All the signer certificates must exist in the key database", then go back and confirm that the Root Signer certificate and Intermediate Signer Certificate, if used, are both in the key database
15 June 2018