Ask a Question

Advanced Search

Alert ID : INFO286

Last Modified : 04/23/2019

Managed PKI for SSL - Installation Instructions for IBM HTTP Server using IKEYMAN GUI



This document provides instructions for installing SSL Certificates for IMB HTTP Server using the IKEYMAN GUI. If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.

NOTE: Keep in mind that to successfully use the certificate sent by Symantec, the Intermediate CA certificate and your SSL certificate must be imported into same key file from which the certificate request was generated. Ikeyman gives errors when you try to import the Symantec certificate into a key file that does not contain the certificate request.

Step 1: Download the Symantec Intermediate CA Certificate

  1. Download the Intermediate CA certificates from this link:
  2. Select the Managed PKI for SSL tab
  3. Select the appropriate Intermediate CA certificate for your SSL Certificate type.
    NOTE: To check which certificate type you have purchased, follow the steps from this link: SO22021
  4. Copy the Intermediate CA certificate and paste it on a Notepad.
  5. Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces, extra line breaks or additional characters have been inadvertently added.
  6. Save the file as intermediate.cer

Step 2: Install Symantec Intermediate CA Certificate

  1. Start the key management utility (iKeyman):

    On Windows: Go to the start UI and select Start Key Management Utility

    On AIX, Linux or Solaris: Type ikeyman on the command line
  2. Open the key database file that was used to create the certificate request.
  3. Enter the password, then click OK.
  4. Click on the "down arrow" to the right, to display a list of three choices.
  5. Select Signer Certificates, then click Add.
  6. Click Data Type and select a data type, such as Base64-encoded ASCII data.
    NOTE: This data type must match the data type of the importing certificate.
  7. Enter a file name and location for intermediate.cer digital certificate or click Browse to select a file name and location.
  8. Click OK.
  9. Enter a label for importing certificate, for example: Intermediate CA
  10. Click OK
  11. The Signer Certificates field displays the label of the signer certificate you added.

Step 3: Obtain the SSL Certificate 

  1. Once your Managed PKI for SSL administrator has approved your Certificate request, you will receive an email with
    the Certificate attached (cert.cer), as well as in the body of the email itself.
  2. Copy the certificate, imbedded in the body of the email and paste it into a text file using Vi or Notepad.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters.
    Confirm that there are no extra lines or spaces in the file.

    The text file should look like:


              [encoded data]

    -----END CERTIFICATE-----

    NOTE: To download the certificate from your Managed PKI for SSL subscriber services page, see solution SO6621
    Please select X.509 as a certificate format and copy only the End Entity Certificate.
  3. Save the certificate as public.cer or public.arm

Step 4: Install the SSL Certificate

  1. Open the .kdb file using the iKeyman utility: 

    On Windows: Go to the start UI and select Start Key Management Utility

    On AIX, Linux or Solaris: Type ikeyman on the command line
  2. In the middle of the iKeyman GUI you will see a section called Key database content
  3. Click on the "down arrow" to the right, to display a list of three choices
  4. Select Personal Certificates

  5. From the Personal Certificates section, click Receive

  6. Data Type - leave the default of "Base64-encoded ASCII data"

  7. Browse to the directory that contains the .cert or .arm file
  8. Highlight the file and click Open.
  9. Now click OK on this dialog box


Step 5. Transfer Certificate

  1. To extract an SSL certificate from a key database file and store it in a CA key ring file, start the iKeyman graphical user interface
  2. Run following command:

    On Windows: strmqikm

    On UNIX: gsk7ikm
  3. Choose Open from the Key Database File menu. Click Key database type, and select CMS.
  4. Click Browse to navigate to the directory containing the key database files
  5. Select the key database file to which you want to add the certificate. For example, key.kdb.
  6. Click Open
  7. In the Password Prompt window, type the password you set when you created the key database and then click OK.
  8. Select Signer Certificates in the Key database content field, and then select the certificate you want to extract.
  9. Click Extract.
  10. Select the Data type of the certificate. For example, Base64-encoded ASCII
  11. Click Browse to select the name and location of the certificate file name.
  12. Click OK. The certificate is written to the file you specified.
  13. To verify if your certificate is installed correctly, use the DigiCert Installation Checker

IBM Support

         For more information, refer to IBM documentation