Ask a Question

Solution ID : SO15247

Install a GeoTrust SSL Certificate on IBM HTTP Server running iKeyman

Problem

How do I install a GeoTrust SSL certificate on an IBM HTTP Server running iKeyman
 

Solution

This document provides installation instructions for IBM HTTP Server running iKeyman. If you are unable to use these instructions for your server, [BRAND] recommends that you contact the server vendor or the organization, which supports IBM HTTP Server running iKeyman.

 
To install a GeoTrust SSL Certificate on IBM HTTP Server running iKeyman, follow the instructions below:
 
Step 1: Obtain the GeoTrust Intermediate CA
 
a) Download the GeoTrust Intermediate CA solution: INFO1421
 
Note: Be sure to use Vi or Notepad as word processing programs like Microsoft Notepad may add additional characters that may render the certificate unusable.
      
b) Copy and paste the GeoTrust SSL CA into a text file and save as intermediate.txt

 
Step 2: Install the Intermediate CA
  1. Start the key management utility (iKeyman)
  2. Open the key database file that was used to create the certificate request.
  3. Enter the password, and then click OK.
  4. Select Signer Certificates and then click Add.
  5. Click Data type, and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate.
  6. Enter a file name and location for the CA root digital certificate or click Browse to select a file name and location.
  7. Select the intermediate.txt file you created from Step 1 above
  8. Click OK.
  9. Enter a label for the importing certificate.
  10. Click OK.
  11. The Signer Certificates field displays the label of the signer certificate you added.


Step 3: Downloading your Certificate

  1. Download your certificate as per the instruction on the following solutions:
     
    • GeoTrust Security Center, refer to solution SO22158
    • GeoTrust Enterprise Security Center, refer to solution SO21128
    • GeoTrust User Portal (e.g., certificate purchased through Retail or Partners), refer to solution SO15168
       
  2. Copy and paste the certificate into a text file and save as ssl.arm
     
Step 4: Install the Certificate
 
Using the iKeyman graphical user interface (GUI) :
 
After you download your certificate, you add it to the key database file from which you generated the CSR.
  1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
    Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.

  2. Choose Open from the Key Database File menu. Click Key database type, and select CMS.
  3. Click Browse to navigate to the directory containing the key database files.
  4. Select the key database file to which you want to add the certificate. For example, key.kdb.
  5. Click Open.
  6. In the Password Prompt window, type the password you set when you created the key database and then click OK.
  7. Select the Personal Certificates view.
  8. Click Receive.
  9. In the Receive certificate from a file window, select the data type of the new SSL certificate. For example, Base64-encoded ASCII for a file with the .arm extension.
  10. Click Browse to select the name and location of the certificate file name.
  11. Click OK.

    Using the iKeycmd (command line interface) :
     
    To install a certificate in iKeycmd (using UNIX command line), use these commands:
     
    + gsk7cmd -cert -receive -file filename -db filename -pw password -format ascii
     
    To install a certificate in iKeycmd (using Windows command line), use these commands:
     
    + runmqckm -cert -receive -file filename -db filename -pw password -format ascii

    where:
     
    + -file filename is the fully qualified file name of the file containing the personal certificate.
    + -db filename is the fully qualified file name of a CMS key database.
    + -pw password is the password for the CMS key database.
    + -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
 
Step 5: Transferring certificates
 
You can extract an SSL certificate from a key database file and store it in a CA key ring file by performing the following steps:
 
Using the iKeyman graphical user interface (GUI):
  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
  2. Choose Open from the Key Database File menu. Click Key database type, and select CMS.
  3. Click Browse to navigate to the directory containing the key database files.
  4. Select the key database file to which you want to add the certificate. For example, key.kdb.
  5. Click Open.
  6. In the Password Prompt window, type the password you set when you created the key database and then click OK.
  7. Select Signer Certificates in the Key database content field, and then select the certificate you want to extract.
  8. Click Extract.
  9. Select the Data type of the certificate. For example, Base64-encoded ASCII data for a file with the .arm extension.
  10. Click Browse to select the name and location of the certificate file name.
  11. Click OK. The certificate is written to the file you specified.
     
     Using the iKeycmd (command line interface):
     
    To extract a certificate in iKeycmd (using UNIX command line), use these commands:
     
    + gsk7cmd -cert -extract -db filename -pw password -label label -target filename -format ascii
     
    To extract a certificate in iKeycmd (using Windows command line), use these commands:
     
    + runmqckm -cert -extract -db filename -pw i -label label -target filename -format ascii
     
    where:
    + -db filename is the fully qualified pathname of a CMS key database.
    + -pw password is the password for the CMS key database.
    + -label label is the label attached to the certificate.
    + -target filename is the name of the destination file.
    + -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.