Converting Open SSL certificates to IBM SSL

If you are upgrading your point product and are currently using Open SSL certificates, you must first export your certificates to PKCS12 format, before importing them as IBM SSL certificates. These exported private and public certificates will be stored in a password protected file.

To export and import your existing Open SSL certificates to PKCS12 format, do the following:
  1. Export the certificate to PKCS12 format:
    1. Using a command prompt, navigate to the following directories on the respective system:
      • On Windows: drive-letter:\Program Files\Rational\common\bin
      • On UNIX and Linux: /opt/rational/common/rwp/bin
    2. From that directory, enter the following command: openssl pkcs12 -export -in your_server_certificate.crt -out mapped_shared_location\server_cert.p12 -inkey your_server_private_key.key -name ibmhttp
      Note: Note the location of the file server_cert.p12. This is the PKCS12 formatted file which will be imported into the IBM SSL Key Management store.
    3. Enter the pass phrase used when the private key was originally created.
    4. Enter an export password.

  2. Upgrade the IBM SDK Policy Files to use the unrestricted version to enable recognition of non-IBM certificate files.
    Note: Failure to upgrade the Policy File will result in an error while importing the PKCS12 certificate.
    Follow the procedures in http://www.ibm.com/support/docview.wss?uid=swg21201170. Download the 1.4.2 version of the unrestricted policy files and replace the existing two policy files located at:
    • On Windows: drive-letter:\Program Files\Rational\common\rwp\IHS\_jvm\jre\lib\security
    • On UNIX and Linux: /opt/rational/common/rwp/IHS/_jvm/jre/lib/security
    Import the certificate into the IBM SSL Key Management store:
    1. Start the IBM HTTP server Key Management Utility tool (if it is not already running).
    2. In the tool, click Key Database File > Open > Select Key database type CMS and click Browse to navigate to your key store file (key.kdb).
    3. Enter the keystore password and click OK.
    4. In the Key database content area, click the drop down menu and select Personal Certificates.
    5. Click Import , then click Key File type and choose PKCS12.
    6. Click the Browse button and navigate to the .p12 file you wish to import, then click OK.
    7. If prompted, enter a password for the key database, then click OK.
    8. Click OK again to complete the import process.
    Note: If the certificate you are attempting to import has an expired validity date, you will not be able to import it.


Feedback