Signing certificates by certificate authorities

This topic describes how to obtain certificate authority (CA) self-signed SSL certificates by using the IBM HTTP Server (IHS) iKeyMan key management utility.

Procedure

  1. Start the IHS iKeyMan utility.
    On Windows:
    Click Start > Programs > IBM HTTP Server > Start Key Management Utility
    On the UNIX system and Linux:
    Open a command prompt window and run $RATIONAL_COMMON/IHS/bin/ikeyman.sh.
  2. Click Key Database File > Open > Select Key database.
    1. Enter CMS and click Browse to navigate to your key store file key.kdb.
    2. Enter the keystore password and click OK. See Creating HTTP server keys if the key.kdb keystore file is not created.
  3. Select Personal Certificate Request from the drop-down menu in the Key Database Content section.
  4. Fill in the field values. Use the full name of your province instead of an abbreviation. Then save the file with the .arm file extension.
  5. Follow your certificate authority organization's rules for sending the .arm file and receiving the signed certificate .cert file. For example, some companies direct you to a web site where you can upload the .arm file and receive the .cert file by e-mail.
  6. You must rename the .cert file to the value in the Common Name field of the resulting certificate. Typically, this is the full internet reference to the host computer, for example, myhost.mydomain.mycompany.com. You must use the full internet name wherever the common name is referenced.
  7. Select Signer Certificates from the drop-down menu in the Key Database Content section.
    1. If the certificate authority name is listed in the Key Database Content section:
      1. Select Personal Certificates from the drop-down menu and click Receive.
      2. Browse for the CommonName.arm file. Select the appropriate file type (ASCII or DER binary file) from the Data Type drop-down menu and click OK. A message appears indicating that the certificate was received.
    2. If the certificate authority name is not listed in the Key Database Content section:
      1. Add the root certificate for the certificate authority:
        1. Find the root certificate on the web site of your certificate authority, download it, and name it CA.arm, where CA is the company name of the certificate authority.
        2. Select Signer Certificates from the drop-down menu in the Key Database Content section and click Add.
        3. Click Browse to navigate to the CA.arm file that you just downloaded. Select the appropriate file type (ASCII or DER binary file) from the Data Type drop-down menu and click OK. The list now contains the name of your certificate authority, and a message appears indicating that the certificate was received.
      2. Repeat step 7.a.

Feedback