Ask a Question

Advanced Search

Solution ID : SO17831

Last Modified : 05/02/2018

How to move an SSL certificate from Microsoft IIS version 6.0 and 7.0 to IBM HTTPS Server key database



To move an SSL certificate from a Microsoft IIS version 6.0 and 7.0 to IBM HTTPS server, perform the following steps:


Step 1: Create a Microsoft Management Console (MMC) Snap-in for managing certificates
Create a Microsoft Management Console (MMC) Snap-in for managing certificates, as described in solution SO14292


Step 2: Export the certificate 

  1. Open the Certificates (Local Computer) snap-in you added, and select Personal > Certificates
  2. The Subject field of the certificate lists the Common Name (CN). (Click Tools > Internet Options > Content to view the Common Name if you are not sure)
  3. Right-click on the desired certificate and select All Tasks > Export. The Certificate Export Wizard opens
  4. Select Yes, export the private key
  5. Click Next
  6. In the Export File Format window, ensure the option for Personal Information Exchange - PKCS#12 (.pfx) is selected
  7. Select Include all certificates in the certificate path if possible and then click Next. (If you do not select the Include all certificates in the certificate path if possible option, your server may not recognize the issuer of the certificate, which may result in security warnings for your clients.
  8. De-select Require Strong Encryption. (This may cause a password prompt every time an application attempts to access the private key or it may cause IIS to fail).
  9. Click Next
  10. Enter and confirm a password to protect the PFX file and click Next
  11. Choose a file name and location for the export file (do not include an extension in your file name; the wizard automatically adds the PFX extension for you)
  12. Click Next
  13. Read the summary and verify that the information is correct. Pay special attention to where you saved the file. Ensure that the information is correct
  14. Click Finish

Step 3: Create new key database file

  1. Open the IKEYMAN Utility (From Windows NT click Start -> Programs -> IBM HTTP Server -> Start Key Management Utility
  2. From the Menu Bar select "Key Database File"
  3. Click on NEW
  4. File Name= (The name of new Key Database file)
  5. Location= (The location on the harddrive where the .kdb file will be stored)
  6. After saving the file to the location specified, a password must be entered
    Note: This is the password that will be used to open the .kdb file in IKEYMAN in the future
  7. Make sure to click the box that states "Stash the password to a file?"
    Note: This will encrypt the password and save the file as a .sth file in the same directory as the .kdb file.
  8. Click OK

Step 4: Add the signer

 Obtain both RapidSSL Primary & Secondary Intermediate CA certificate based on your SSL certificate product, refer to article AR1548.

  1. Start the key management utility (iKeyman). To start the iKeyman graphical user interface: 
    Windows: go to the start UI and select Start Key Management Utility
    AIX, Linux or Solaris: type ikeyman on the command line
  2. Open the key database file that was used to create on Step 3.
  3. Enter the password, then click OK.
  4. Select Signer Certificates, then click Add.
  5. Click Data Type and select a data type, such as Base64-encoded ASCII data. This data type must match the data type of the importing certificate.
  6. Enter a file name and location for the RapidSSL Intermediate CA certificate or click Browse to select a file name and location.
    Note: Ensure both RapidSSL Primary & Secondary Intermediate CA certificate is installed separately as part of Signer Certificates
  7. Click OK.
  8. Enter a label for importing certificate.
  9. Click OK

Step 5: Import the .PFX file to Personal Certificates 

  1. Select Personal Certificates from the object list box.
  2. Click Import button. This will bring up the Import Key panel.
  3. Change the Key File Type to PKCS12.
  4. Click Browse to locate the personal certificate created from the section labeled "Personal extraction."
    Note: The .PFX file is the exported certificate file within Microsoft IIS server based on Step 2.
  5. Enter the password to this file when prompted and click OK. This will bring up the Change Labels panel which gives you the opportunity to change the label displayed within Ikeyman. This is not mandatory, but gives you the chance to put a meaningful text against your certificate rather than keeping the cryptic-like label displayed. This is especially useful if you plan to use the SSLServerCert directive within IBM HTTP Server to specifically point authentication to one of many certificates available within a single key database file.
  6. Select the certificate listed and type in a new label. Click Apply to set the new label.
  7. Click OK to complete the Import process.

At this point, you should have a working key database file that can be used with IBM HTTP Server

This information was obtain from IBM's web site.