This section describes topics on how to set up and use
the key management utility (IKEYMAN) with IBM® HTTP
Server. Using the graphical user interface, rather than the command
line interface, is recommended.
Before you begin
Ensure that the required compat-libstdc++
package exists for your operating system architecture. For more information,
see the installation and verification information for Linux packages.
About this task
Global Security Kit (GSKit) certificate management tools
are installed in the
<ihsinst>/bin/ directory.
These tools should only be run from the installation directory. Examples
for the following commands should include the full directory path,
such as
<ihsinst>/bin/gskcmd.
- gskver
- ikeyman
- gskcapicmd
- gskcmd
For IKEYMAN, you can run the following command in the installation
directory to generate debug information.
<ihsinst>/bin/ikeyman -x
To
have a secure network connection, create a key for secure network
communications and receive a certificate from a certificate authority
(CA) that is designated as a trusted CA on your server.
Procedure
- Start the Key Management utility user interface. Use
IKEYMAN to create key databases, public and private key pairs, and
certificate requests.
- Work with key databases. You can use one key
database for all your key pairs and certificates, or create multiple
databases.
- Change the database password. When you create
a new key database, you specify a key database password, which protects
the private key. The private key is the only key that can sign documents
or decrypt messages that are encrypted with the public key. Changing
the key database password frequently is a good practice.
- Create a new key pair and certificate request. You
find key pairs and certificate requests stored in a key database.
- Import and export your key into another database or to
a PKCS12 file. PKCS12 is a standard for securely storing
private keys and certificates.
- List certificate authorities within a key database.
- Display certificate expiration date your key database by
viewing the certificate information with the IKEYMAN Key Management
utility GUI or using the gskcmd command.
- If you act as your own CA, you can use IKEYMAN to create
self-signed certificates.
- Receive a signed certificate from a certificate authority. If you act as your own CA for a private Web network, you have
the option to use the server CA utility to generate and issue signed
certificates to clients and servers in your private network.
- Display default keys and certificate authorities within
a key database.
- Store a certificate from a certificate authority (CA) that
is not a trusted CA.
- Store the encrypted database password in a stash file.
- Use IKEYMAN to create key databases, public and private
key pairs, and certificate requests.
- If you act as your own CA, you can use IKEYMAN to create
self-signed certificates.
- If you act as your own CA for a private Web network, you
have the option to use the server CA utility to generate and issue
signed certificates to clients and servers in your private network.
What to do next
You may experience a certificate problem when you open
a certificate that has a key with a higher level of cryptography than
your policy files permit. You can optionally install unlimited strength
JCE policy files.
For more information about the IKEYMAN
utility, see the IKEYMAN User's Guide on the IHS Library page.