IBM Support

Using iKeyman to create a key database file



Instructions for using the iKeyman utility to create a key database file for IBM HTTP Server.

Resolving The Problem

For the latest documentation on using the iKeyman utility, visit the IBM Knowledge Center

How do I create a Key Database File (.kdb) using iKeyman?

  1. Open the iKeyman utility.
    • On Microsoft Windows platforms, click Start > Programs > IBM HTTP Server > Start Key Management Utility.

    • On UNIX platforms, start the iKeyman utility by running: /IHS root/bin/

  2. From the Menu Bar select Key Database File > New.

  3. Enter a file name for the new key database file you are creating.

  4. Enter a Location for the location on the hard drive where you want to store the .kdb file. On Windows, this is usually the /IBM Http Server/ssl directory.

  5. Click OK.

    After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.

  6. Select the checkbox Stash the password to a file? This encrypts the password and saves the file as a .sth file in the same directory as the key database file.

  7. Click OK.

How do I create a new "Certificate Request" to send to a CA (for example, Verisign)?
  1. Open the key database file (.kdb) using the iKeyman utility.

  2. In the middle of the iKeyman GUI you will see a section called Key database content.

  3. Click on the "down arrow" to the right, to display a list of three choices.

  4. Select Personal Certificate Requests.

  5. From the Personal Certificate Requests section, click New.

  6. Key Label= (The name you want to give the certificate to identify it in IKEYMAN.

    Note: Using the SiteName (for example, as the label is a good practice.

    SAN Certificate Request additional options.

    In the Subject Alternative Names section, DNS Name field, all entries of the domains separated each with a space or a comma or space and comma. Whichever method should work.

    For example:
    A spaces among hostnames
    hostname1 hostname2 hostname3 etc...

    A comma with no space among hostnames:
    hostname1,hostname2,hostname3, etc...

    A comma and space among hostnames
    hostname1, hostname2, hostname3, etc...
  7. Key Size= (2048bit, 1024bit or 56bit)

  8. Common Name= (SiteName, for example,

    Note: This is the name that the CA will register, so it is important it matches the actual SiteName

  9. Organization= (Company Name)

  10. "Enter the name of a file in which to store the certificate request"

    Note: This is the file (.arm) that will contain your request. It is a simple text file that can be opened in any text editor. The information contained in this file is what the CA (ex. Verisign) needs you to provide them.

    *Saving this file(.arm) in the same directory as the (.kdb) file is recommended.

  11. Once you save the file (.arm) you are done with creating the request.

  12. You must now choose a CA and follow the CA's instructions for sending them a the "Certificate Request"

    ######### CAUTION #########
    Before proceeding to the next step, make a backup copy of the filename.KDB and filename.RDB key files for file corruption or certificate request accidental deletion stored in the filename.RDB key file.

How do I receive the Certificate into the Key Database File (.kdb) file after getting it back from the CA?
Note: CAs usually send back an email with the certificate information provided as text in the email.
  1. Take the information provided in the email and copy it into a text file. Save the text file with a .cert extension or .arm extension.

  2. Open the .kdb file using the iKeyman utility.

  3. In the middle of the iKeyman GUI you will see a section called Key database content.

  4. Click on the "down arrow" to the right, to display a list of three choices.

  5. Select Personal Certificates.

  6. From the Personal Certificates section, click Receive.

  7. Data Type= (Leave the default of "Base64-encoded ASCII data")

  8. Browse to the directory that contains the .cert or .arm file

  9. Highlight the file and click Open.

  10. Now click OK on this dialog box:

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.5;8.0;7.0","Edition":""},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;6.1;6.0","Edition":""}]

Document Information

Modified date:
15 June 2018