SSL Certificates
Overview
To create an SSL certificate that is trusted, there are many steps. Here is a general overview (more detailed steps are in the sections below):
Create a self-signed certificate and store this in your keyring (also known as certificate store or keystore). This certificate can be used for encryption but it doesn't prove who you are yet. Create a Certificate Signing Request (CSR) from this self-signed certificate.
Send this Certificate Signing Request to a Certificate Authority along with proof of who you are (e.g. company records). You can think of the Certificate Authority as the equivalent to the "Births, Deaths and Marriages Department".
The Certificate Authority will counter-sign the Certificate Signing Request (CSR) by giving you back a signed certificate.
Import this signed certificate into your keyring.
Import the public Certificate Authority certificates if these aren't already imported, to show that you trust the Certificate Authority.
What is a Certificate Signing Request
A Certificate Signing Request is an encoded file that provides you with a standardised way to send your public key as well as some information that identifies the you, your company and domain name. When you generate a CSR, most server software asks for the following information:
common name
organization name and location (country, state(province, city/town)
key type (typically RSA)
key size (4096-bit)
This Certificate Signing Request needs to be signed by a CA and then returned to the owner before it can be used, as shown in the diagram below:
Source: https://en.wikipedia.org/wiki/Certificate_authority#/media/File:PublicKeyCertificateDiagram_It.svg
There are a few tools to create the certificate signing request. This often depends on the operating system, the web server and the required certificate store.
There are three common tools that can create certificates - depending on your keystore you should use the actual tool on the system you are using, to avoid any problems with supported algorithms and private keys:
Windows certreq
Linux openSSL
Java Keytool
IBM gskcmd (deprecated)
Windows
Step 1
Prepare a Request .INF file with your certificate attributes (example.inf)
[Version]
Signature= $Windows NT$
[NewRequest]
;replace attributes in the line below
Subject = "CN=server.example.net, O=Ask your IT department, L=Ask your IT department, S=Ask your IT department, C=Ask your IT department"
Exportable = FALSE
MachineKeySet = TRUE
KeyLength = 4096
ProviderType = 12
ProviderName = Microsoft RSA SChannel Cryptographic Provider
RequestType = PKCS10
[RequestAttributes]
;SAN="dns=CN like Subject&dns=other_FQDN_you_require"
SAN="dns=server.example.net"
ATTENTION: If you want to add more than one SAN be careful to follow the syntax: SAN="dns=example1.contoso.net&dns=example2.contoso.net..."
Step 2
In a Command Prompt, generate a "Certficate Signing Request" CSR:
certreq.exe -new example.inf testserver.csr
Step 3
Submit and sign the request through corporate certification authority. NOTE: This step may take a few hours or days for the request to be actioned.
Step 4
Store the received .p7b file on your server
Step 5
Import the certificate into the local machine certificate store
certreq -accept testserver.p7b
Linux OpenSSL
Step 1
Create openssl config file see example content of "example.contoso.net.cfg"
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
# Please fill in the applicant information as described under point 1.1
C = DE
ST = State
L = Country
O = Organization
CN = Certificate Common Name
emailAddress = Requesters e-mail address
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = same as in CN field
# If more than 1 address is need please enter your SAN addresses into the following DNS entries end remote the hash
#DNS.2 =
#DNS.3 =
Step 2
OpenSSL command to create the key pair and the csr:
openssl req -config example.contoso.net.cfg -newkey rsa:4096 -sha256 -keyout example.contoso.net.key -out example.contoso.net.csr
The generated key is encrypted with a passphrase, using the aes-256 algorithm. This passphrase must be entered when the service is started. If you do not want this, simply omit this parameter. In any case, make sure that the key can only be read by you!
Step 3
Submit and sign the request through corporate certification authority. NOTE: This step may take a few hours or days for the request to be actioned.
Step 4
Store the received .p7b file on your server
Step 5
Import the certificate into the local machine certificate store
XXXXXXXXXXXXXXXX
Java Keytool
Step 1
Create a new keystore on your server. This will place a 'keystore' file in your current directory:
keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -genkeypair -alias default -keyalg RSA -keysize 4096 -validity 5000 -keypass ibm-team -dname "CN=example.contoso.net, O=A Company, L=A City, S=A State, C=AU" -ext san=dns:example.contoso.net
Step 2
Add the company's root certificates (if required):
keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -importcert -trustcacerts -alias "companyRootCert" -file companyRootCert.cer -noprompt
keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -importcert -trustcacerts -alias "companyRootCert2" -file companyRootCert2.cer -noprompt
Step 3
Export out the Certificate Request file:
keytool -keystore certreq.p12 -storetype PKCS12 -storepass PASSWORD -certreq -alias default -keyalg RSA -ext san=dns:example.contoso.net -file certreq.csr
Step 4
Submit the file "certreq.csr" and sign the request through corporate certification authority. NOTE: This may take a few hours or days.
Step 5
Import the certificate into the keystore:
keytool -keystore certreq.p12 -storetype PKCS12 -storepass ibm-team -importcert -alias "default" -file example.contoso.net -noprompt
GSKCMD for IBM HTTP Server
The following steps assume you wish to use this certificate for the IBM HTTP Server. Note that IBM has generally migrated to using Liberty Server (which uses Java Keytool) instead, so this information below is for legacy systems.
Step 1
Create a new certificate request on your server. This will place a 'keystore' file in your current directory:
/IBM/HTTPServer/bin/gskcmd -certreq -create -db/IBM/Certificates/ihskeys.kdb -pw XXXX -label sslcert -file /IBM/Certificates/certreq.csr -dn CN=example.contoso.net,O=A Company,C=US -size 4096
Step 2
Submit and sign the request through corporate certification authority. NOTE: This may take a few hours or days.
Step 3
Import the certificate into the keystore:
/IBM/HTTPServer/bin/gskcmd -cert -receive -file testserver.p7b -db /IBM/Certificates/ihskeys.kdb -default_cert yes -pw XXXX
/IBM/HTTPServer/bin/gskcmd -cert -getdefault -db /export/IBM/Certificates/ihskeys.kdb -pW XXXX
Step 4
Using WinSCP, open the configuration file:
IBM/HTTPServer/conf/httpd.conf
Step 5
Edit the line SSLServerCert example.contoso.net to the new certificate name (this is because IHS ignores the default certificate designation):
SSLServerCert sslcert
Step 6
In WinSCP, open /IBM/WebSphere/Plugins/config/webserver1/plugin-cfg.xml
Step 7
Edit the following lines to point to the new certificate name:
<Property Name="certLabel" Value="sslcert"/>
Note there could be many instances of the above line in the configuration file. Change all of these instances.
Step 8
Restart the IBM HTTP Server:
systemctl stop ihs.service
systemctl start ihs.service