How do I import a GoDaddy SSL Cert into an IBM HTTP Server keystore?
When you get a new SSL certificate from GoDaddy, you likely will a zip file that includes multiple CRT files and a PEM file. These are the raw Certificate Request, GoDaddy root CA and intermediate CA certs, as well as the private key for the actual certificate. WHen using Apache, you typically would use the following SSL directives to use these files as they are:
SSLCertificateFile "/usr/local/apache2/conf/ssl/certificate.crt"
SSLCertificateChainFile "/usr/local/apache2/conf/ssl/ca_bundle.crt"SSLCertificateKeyFile "/usr/local/apache2/conf/ssl/private.key"
IBM HTTP Server, on the other hand, typically uses a key database instead. This is a much more secure way to handle SSL handshakes, and helps to protect your certificate from potential hackers that make it into the operating system via command line. You can not use the Godaddy certs as they are! You will need to convert the PEM file and key file into a PCKS12 key database first. Then, you can import from that new key database into the IBM HTTP Server’s key database.
Start off by copying your files to the system. You’ll need to do this on the host (we’re using Linux in this case…sorry Windoze users). In our case we have the following files:
generated-private-key.txt – this is the private key. DO NOT lose this! Keep this secure!
73f29e00683BR549.crt – this is the certificate request
73f29e00683BR549.pem – this is the public key of the certificate request.
Now, you’ll create a new PKCS12 keystore from the files above:
openssl pkcs12 -export -out cert.p12 -in 73f29e00683BR549.pem -inkey generated-private-key.txt -passout pass: myNewPassword
Then, on the IBM HTTP Server, navigate to the bin directory. You’ll use the command gsk8capicmd, which is a superset executable of ikeyman. Use this to import into your keystore:
/opt/IBM/IHS/bin/gskcapicmd -cert -import -file /opt/IBM/IHS/cert.p12 -target /opt/IBM/IHS/conf/ihskey.kdb
-target_stashed -label my.server.com
Your key database (ihskey.kdb) should be secured by your. I recommend you create that first. It should be a CMS type database to work with IBM HTTP Server.
If you want to do this key database manipulation on your own workstation (using Windoze), you can do it if you have the IBM JRE installed. Note that you will need to change the JRE java security policy, otherwise, you will NOT be able to edit any CMS keystore (which is what IHS uses). Open the <jre home>/lib/security/java.security file and add the following line to the bottom of the file:
security.provider.10=com.ibm.security.cmskeystore.CMSProvider