How to move an SSL certificate from Microsoft IIS version 6.0 and 7.0 to IBM HTTPS Server key database
To move an SSL certificate from a Microsoft IIS version 6.0 and 7.0 to IBM HTTPS server, perform the following steps:
Step 1: Create a Microsoft Management Console (MMC) Snap-in for managing certificates
Create a Microsoft Management Console (MMC) Snap-in for managing certificates, as described in solution SO14292
Step 2: Export the certificate
Open the Certificates (Local Computer) snap-in you added, and select Personal > Certificates
The Subject field of the certificate lists the Common Name (CN). (Click Tools > Internet Options > Content to view the Common Name if you are not sure)
Right-click on the desired certificate and select All Tasks > Export. The Certificate Export Wizard opens
Select Yes, export the private key
In the Export File Format window, ensure the option for Personal Information Exchange - PKCS#12 (.pfx) is selected
Select Include all certificates in the certificate path if possible and then click Next. (If you do not select the Include all certificates in the certificate path if possible option, your server may not recognize the issuer of the certificate, which may result in security warnings for your clients.
De-select Require Strong Encryption. (This may cause a password prompt every time an application attempts to access the private key or it may cause IIS to fail).
Enter and confirm a password to protect the PFX file and click Next
Choose a file name and location for the export file (do not include an extension in your file name; the wizard automatically adds the PFX extension for you)
Read the summary and verify that the information is correct. Pay special attention to where you saved the file. Ensure that the information is correct
Step 3: Create new key database file
Open the IKEYMAN Utility (From Windows NT click Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
From the Menu Bar select "Key Database File"
Click on NEW
File Name= (The name of new Key Database file)
Location= (The location on the harddrive where the .kdb file will be stored)
After saving the file to the location specified, a password must be entered Note: This is the password that will be used to open the .kdb file in IKEYMAN in the future
Make sure to click the box that states "Stash the password to a file?" Note: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.
Step 4: Add the signer
Obtain both RapidSSL Primary & Secondary Intermediate CA certificate based on your SSL certificate product, refer to article AR1548.
Start the key management utility (iKeyman). To start the iKeyman graphical user interface:
Windows: go to the start UI and select Start Key Management Utility
AIX, Linux or Solaris: type ikeyman on the command line
Open the key database file that was used to create on Step 3.
Enter the password, then click OK.
Select Signer Certificates, then click Add.
Click Data Type and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate.
Enter a file name and location for the RapidSSL Intermediate CA certificate or click Browse to select a file name and location. Note: Ensure both RapidSSL Primary & Secondary Intermediate CA certificate is installed separately as part of Signer Certificates
Enter a label for importing certificate.
Step 5: Import the .PFX file to Personal Certificates
Select Personal Certificates from the object list box.
Click Import button. This will bring up the Import Key panel.
Change the Key File Type to PKCS12.
Click Browse to locate the personal certificate created from the section labeled "Personal extraction." Note: The .PFX file is the exported certificate file within Microsoft IIS server based on Step 2.
Enter the password to this file when prompted and click OK. This will bring up the Change Labels panel which gives you the opportunity to change the label displayed within Ikeyman. This is not mandatory, but gives you the chance to put a meaningful text against your certificate rather than keeping the cryptic-like label displayed. This is especially useful if you plan to use the SSLServerCert directive within IBM HTTP Server to specifically point authentication to one of many certificates available within a single key database file.
Select the certificate listed and type in a new label. Click Apply to set the new label.
Click OK to complete the Import process.
At this point, you should have a working key database file that can be used with IBM HTTP Server