IBM Support

Renewing a certificate using iKeyman

Question & Answer


Question

How do you properly renew a certificate using the Key Management (iKeyman) utility?

Answer

The following steps are required for renewing an "existing" or "expired" certificate.


Renewing "Self-Signed" certificates:
For all IBM® HTTP Server releases

  1. Start the iKeyman graphical interface.

  2. Open the existing KeyFile (.kdb) that contains the self-signed certificate.

  3. Click on the certificate in the Personal Certificates section of the KeyFile and then click on the Delete button to the right of the screen.

    Note: This will remove the certificate from the KeyFile.

  4. Click on the New Self-Signed button to the right of the screen.

  5. Fill in the new self-signed certificate form and then click OK.

    Note: You will now see your new certificate listed in the Personal Certificates section of the KeyFile.

  6. Close the iKeyman utility and restart the IBM® HTTP Server for the changes to take effect.


Renewing certificates issued by an external Certificate Authority (CA):
(for example: Verisign, Thwarte, Entrust, and so on)

Note: You cannot re-send an "old" certreq.arm to the CA or re-import/receive the "old" certificate issued by the CA into iKeyman for renewal. Neither one of the preceding methods will work, nor are they supported.
  1. Start the iKeyman graphical interface.

  2. Open the existing KeyFile (.kdb) that contains the certificate.

  3. Click on the "old" certificate in the Personal Certificates section of the KeyFile and then click on the Recreate request button to the right of the screen. This will bring up a window asking you to provide a name for the request. The default of certreq.arm is fine. Save the file to the hard drive (preferably in the same directory as the old request file.)

    Note: Do not delete the "old" certificate.

  4. Send the "new" certreq.arm to your CA.

  5. After receiving the "renewal" certificate from the CA, click on the Receive button to the right of the screen and browse to the directory where you have stored the "renewal" certificate.

  6. Highlight the "renewal" certificate and click Open and then click OK. You should then see the following message:

  7. A renewal certificate was found, Do you want to update the existing certificate?

  8. Select Yes.

  9. Your "renewal" certificate should be successfully added to your (.kdb) file.

  10. Close the iKeyman utility and restart the IBM HTTP Server for the changes to take effect.

Caution: Some certificate authorities add strings to the users requested Distinguished Name, but will not accept renewal requests that already contain the added strings. One such example is an addition to the OU field of:

"OU = Member, VeriSign Trust Network"

If the renewal request is rejected due to the presence of the CAs additions in the request, you can create a new "certificate request" manually (see instructions here) instead of using the "recreate certificate request" function of iKeyman.

**NOTE**: Contacting the certificate authority (CA) may offer to migrate SSL certificates to SHA-256. You can switch to SHA-256 signature algorithm when you renew your certificate, or you can replace your certificate creating a new certificate request.
Submit your CSR file for a SSL certificate, use SHA-256 with the SHA-1 root CA. In most cases, there is no additional cost for using SHA-256.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5;8.0;7.0","Edition":""},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0","Edition":""}]

Document Information

Modified date:
15 June 2018

UID

swg21045925