How to properly RENEW a certificate using IKEYMAN
 Technote (troubleshooting)
 
Problem(Abstract)
How to properly RENEW a certificate using IKEYMAN
 
Resolving the problem

The following steps are required for RENEWING an "existing"

or "expired" certificate.

The following steps assume you are familiar with the IKEYMAN utility and understand the differences between KeyFiles and Certificates. If you are not familiar with the above, please visit the following URL before proceeding for more information on using IKEYMAN to manage KeyFiles and Certificates.
http://www-306.ibm.com/software/webservers/httpservers/doc/v20/manual/ibm/9atikeyu.htm

Renewing "Self-Signed" Certificates:

For IBM® HTTP Server releases of 1.3.6, 1.3.12, 1.3.19, 1.3.26, 1.3.28 and 2.0

  1. Start the IKEYMAN graphical interface
  2. Open the existing KeyFile (.kdb) that contains the self-signed certificate.
  3. Click on the certificate in the "Personal Certificates" section of the KeyFile and then click on the "delete" button to the right of the screen. Note: This will remove the certificate from the KeyFile.
  4. Click on the "new self-signed" button to the right of the screen
  5. Fill in the new self-signed certificate form and then click OK. Note: You will now see your new certificate listed in the "Personal Certificates" section of the KeyFile.
  6. Close the IKEYMAN utility and Restart the IBM HTTP Server for the changes to take effect.

Renewing Certificates issued by an external Certificate Authority (CA):

(Example: Verisign, Thwarte, Entrust, etc..)

Note: You cannot re-send an "old" certreq.arm to the CA or re-import/receive the "old" certificate issued by the CA into IKEYMAN for renewal. Neither one of the above methods will work, nor are they supported.

IBM HTTP Server 1.3.12.2 or higher

These instructions do NOT apply if you are running IBM HTTP Server 1.3.6, 1.3.12.0, 1.3.12.1.

  1. Start the IKEYMAN graphical interface
  2. Open the existing KeyFile (.kdb) that contains the certificate.
  3. Click on the "old" certificate in the "Personal Certificates" section of the KeyFile and then click on the "recreate request" button to the right of the screen. This will bring up a window asking you to provide a name for the request. the default of certreq.arm is fine. Save the file to the hard drive (preferably in the same directory as the old request file.) Note: Do not delete the "old" certificate.
  4. Send the "new" certreq.arm to your CA.
  5. After receiving the "renewal" certificate from the CA, click on the "receive" button to the right of the screen and browse to the directory where you have stored the "renewal" certificate.
  6. Highlight the "renewal" certificate and click "Open" and then click "OK". You should then see this message: "A renewal certificate was found, Do you want to update the existing certificate?"
  7. Select "Yes"
  8. Your "renewal" certificate should be successfully added to your (.kdb) file
  9. Close the IKEYMAN utility and Restart the IBM HTTP Server for the changes to take effect.

IBM HTTP Server 1.3.6, IBM HTTP Server 1.3.12.0, IBM HTTP Server 1.3.12.1

Unfortunately, If you are running the above mentioned versions of IBM HTTP Server you will need to create a "brand new" request and send this request to your Certificate Authority (CA)

Please follow the instructions below.

  1. Start the IKEYMAN graphical interface
  2. Open the existing KeyFile (.kdb) that contains the certificate.
  3. In the "Personal Certificate Request" section of the KeyFile, click on the "new" button to the right of the screen.
  4. Fill in the "new" certificate request form with a new key label. The remaining information should be the same that was entered for the "old" certificate request and then click OK. Be sure to make a note of the new certreq.arm filename and the location on the hard drive where it was save to. Note: You should now see your "new" certificate request listed in the "Personal Certificate Request" section of the KeyFile.
  5. Send the "new" certreq.arm to the Certificate Authority. After receiving the "new" certificate back from the CA, save the certificate to the hard drive.
  6. In the "Personal Certificate Request" section of the KeyFile, click on the "receive" button to the right of the screen.
  7. Browse to the directory where you have saved the "new" certificate that you received back from the CA.
  8. Highlight the "new" certificate and click "Open" and then click "OK" to receive it into the KeyFile. Note: you will have to mark the new certificate as the default. You should now see your new certificate listed in the "Personal Certificate" section of the KeyFile.
  9. Close the IKEYMAN utility and Restart the IBM HTTP Server for the changes to take effect.
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > SSL
Operating system(s): Windows
Software version: 2.0
Software edition:
Reference #: 1045925
IBM Group: Software Group
Modified date: Sep 16, 2004