SSL Certificates

Overview

To create an SSL certificate that is trusted, there are many steps. Here is a general overview (more detailed steps are in the sections below):

1. Create a self-signed certificate and store this in your keyring (also known as certificate store or keystore). This certificate can be used for encryption but it doesn't prove who you are yet. Create a Certificate Signing Request (CSR) from this self-signed certificate.

2. Send this Certificate Signing Request to a Certificate Authority along with proof of who you are (e.g. company records). You can think of the Certificate Authority as the equivalent to the "Births, Deaths and Marriages Department".

3. The Certificate Authority will counter-sign the Certificate Signing Request (CSR) by giving you back a signed certificate.

4. Import this signed certificate into your keyring.

5. Import the public Certificate Authority certificates if these aren't already imported, to show that you trust the Certificate Authority.

What is a Certificate Signing Request

A Certificate Signing Request is an encoded file that provides you with a standardised way to send your public key as well as some information that identifies the you, your company and domain name. When you generate a CSR, most server software asks for the following information: 

• common name

• organization name and location (country, state(province, city/town)

• key type (typically RSA)

• key size (4096-bit)

This Certificate Signing Request needs to be signed by a CA and then returned to the owner before it can be used, as shown in the diagram below:

There are a few tools to create the certificate signing request. This often depends on the operating system, the web server and the required certificate store.

There are several common tools that can create certificates - depending on your keystore you should use the actual tool on the system you are using, to avoid any problems with supported algorithms and private keys:

• Windows certreq

• Linux openSSL

• Java Keytool

• IBM gskcmd (deprecated) 

• Win-ACME

Windows

Step 1

Prepare a Request .INF file with your certificate attributes (example.inf)

[Version]

Signature= $Windows NT$

[NewRequest]

;replace attributes in the line below

Subject = "CN=server.example.net, O=Ask your IT department, L=Ask your IT department, S=Ask your IT department, C=Ask your IT department"

Exportable = FALSE

MachineKeySet = TRUE

KeyLength = 4096

ProviderType = 12

ProviderName = Microsoft RSA SChannel Cryptographic Provider

RequestType = PKCS10

[RequestAttributes]

;SAN="dns=CN like Subject&dns=other_FQDN_you_require"

SAN="dns=server.example.net"

ATTENTION: If you want to add more than one SAN be careful to follow the syntax: SAN="dns=example1.contoso.net&dns=example2.contoso.net..."

Step 2

In a Command Prompt, generate a "Certficate Signing Request" CSR:

certreq.exe -new example.inf testserver.csr

Step 3

Submit and sign the request through corporate certification authority. NOTE: This step may take a few hours or days for the request to be actioned.

Step 4

Store the received .p7b file on your server

Step 5

Import the certificate into the local machine certificate store

certreq -accept testserver.p7b

Linux OpenSSL

Step 1

Create openssl config file see example content of "example.contoso.net.cfg"

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

# Please fill in the applicant information as described under point 1.1

C = DE

ST = State

L = Country

O = Organization

CN = Certificate Common Name

emailAddress = Requesters e-mail address

[v3_req]

subjectAltName = @alt_names

[alt_names]

DNS.1 = same as in CN field

# If more than 1 address is need please enter your SAN addresses into the following DNS entries end remote the hash

#DNS.2 =

#DNS.3 =

Step 2

OpenSSL command to create the key pair and the csr:

openssl req -config example.contoso.net.cfg -newkey rsa:4096 -sha256 -keyout example.contoso.net.key -out example.contoso.net.csr

The generated key is encrypted with a passphrase, using the aes-256 algorithm. This passphrase must be entered when the service is started. If you do not want this, simply omit this parameter. In any case, make sure that the key can only be read by you!

Step 3

Submit and sign the request through corporate certification authority. NOTE: This step may take a few hours or days for the request to be actioned.

Step 4

Store the received .p7b file on your server

Step 5

Import the certificate into the local machine certificate store

XXXXXXXXXXXXXXXX

Java Keytool

Step 1

Create a new keystore on your server. This will place a 'keystore' file in your current directory:

keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -genkeypair -alias default -keyalg RSA -keysize 4096 -validity 5000 -keypass ibm-team -dname "CN=example.contoso.net, O=A Company, L=A City, S=A State, C=AU" -ext san=dns:example.contoso.net 

Step 2 

Add the company's root certificates (if required):

keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -importcert -trustcacerts -alias "companyRootCert" -file companyRootCert.cer -noprompt

keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -importcert -trustcacerts -alias "companyRootCert2" -file companyRootCert2.cer -noprompt

Step 3

Export out the Certificate Request file:

keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -certreq -alias default -keyalg RSA -ext san=dns:example.contoso.net -file certreq.csr 

Step 4

Submit the file "certreq.csr" and sign the request through corporate certification authority. NOTE: This may take a few hours or days.

Step 5

Import the certificate into the keystore:

keytool -keystore certreq.p12 -storetype PKCS12 -storepass ibm-team -importcert -alias "default" -file example.contoso.net -noprompt 

GSKCMD for IBM HTTP Server

The following steps assume you wish to use this certificate for the IBM HTTP Server. Note that IBM has generally migrated to using Liberty Server (which uses Java Keytool) instead, so this information below is for legacy systems.

Step 1

Create a new certificate request on your server. This will place a 'keystore' file in your current directory:

/IBM/HTTPServer/bin/gskcmd -certreq -create -db/IBM/Certificates/ihskeys.kdb -pw XXXX -label sslcert -file /IBM/Certificates/certreq.csr -dn CN=example.contoso.net,O=A Company,C=US -size 4096

Step 2

Submit and sign the request through corporate certification authority. NOTE: This may take a few hours or days.

Step 3

Import the certificate into the keystore:

/IBM/HTTPServer/bin/gskcmd -cert -receive -file testserver.p7b -db /IBM/Certificates/ihskeys.kdb -default_cert yes -pw XXXX

/IBM/HTTPServer/bin/gskcmd -cert -getdefault -db /export/IBM/Certificates/ihskeys.kdb -pW XXXX

Step 4

Using WinSCP, open the configuration file:

IBM/HTTPServer/conf/httpd.conf 

Step 5

Edit the line SSLServerCert example.contoso.net to the new certificate name (this is because IHS ignores the default certificate designation):

SSLServerCert sslcert 

Step 6

In WinSCP, open /IBM/WebSphere/Plugins/config/webserver1/plugin-cfg.xml 

Step 7

Edit the following lines to point to the new certificate name:

<Property Name="certLabel" Value="sslcert"/>

Note there could be many instances of the above line in the configuration file. Change all of these instances.

Step 8

Restart the IBM HTTP Server:

systemctl stop ihs.service

systemctl start ihs.service

Win-ACME Java Key Store PKCS12

With the movement towards automated key issuing and shorter key lifetimes, Automated Certificate Management Environment (ACME) is becoming more and more important. Win-ACME is a Windows implementation of ACME, and it is fairly intuitive because it features a menu-driven console application. 

The following steps are for using win-acme when using the industry standard PKCS12 key store format.

Step 1

Install win-acme from https://www.win-acme.com/ if not provided by your Certificate Authority.

Step 2

Configure win-acme by editing the settings.json file. The actual settings can usually be obtained from your Certificate Authority, or they may have a custom win-acme build all ready to go.

Step 3

Open Command Prompt (as administrator).

Step 4

Run win-acme: 

cd C:\Program Files\win-acme

wacs.exe --nocache --target manual --host servername.net --store pfxfile --pfxpassword password123456 --emailaddress your_email_address@yourdomain.net --pfxfilepath c:\path\to\keystore\

If wacs asks any questions, you can typically select the defaults by pressing "Enter". 

NOTE: If you want to use Java's keytool because the keystore has to contain multiple keys and root certificates, you can use the following commands to append the key to the Java Key Store script (only replace the bold parameters!):

setx JAVA_HOME=C:\Program Files\Java\jdkx.x_x\bin 

REM Make sure you use setx and not set, otherwise the environment variable will not persist after reboot.

wacs.exe --nocache --target manual --host servername.net --store none --emailaddress your_email_address@yourdomain.net --installation script --script "Scripts\ImportJKS.ps1" --scriptparameters "-pfxfile \"{CacheFile}\" -pfxpassword {CachePassword} -keystorefile c:\path\to\keystore.p12 -keystorepassword password123456 -keystorekeypassword password123456"

Step 5

To check the keystore and the created key, download and install Keystore Explorer. Previously, IBM distributed a similar keystore tool however this was removed in later version of Java. You can then double-click on the p12 file to see the details. If the certificate is signed properly, you should see the CA in the Certificate Hierarchy chain.

Step 6

Check that the scheduled task was created by win-acme, by opening Task Scheduler > Task Scheduler Library > double-click "win-acme renew" > tab Actions > Edit. 

Step 7

Run the renewal, and check that the renewal worked by checking the server's certificate in a browser:

Step 8

The next time the certificate is due to renew (30 days before the expiry by default), check WACS by reviewing the log files in: %ProgramData%\win-acme\cmu31.rsint.netejbcaacmedirectory\Log