Scribd
Upload
286 views11 pages

SSL Certificate Management Guide

This document discusses SSL certificates and OpenSSL. It provides information on creating and renewing certificates for IBM HTTP Server (IHS) from an existing key database file. It also covers how to convert between different certificate formats like .kdb, .jks, and .pem using tools like OpenSSL and Java Keytool. The document includes commands to generate certificate signing requests and view certificate details.

Uploaded by

jsantosh_d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
286 views11 pages

SSL Certificate Management Guide

This document discusses SSL certificates and OpenSSL. It provides information on creating and renewing certificates for IBM HTTP Server (IHS) from an existing key database file. It also covers how to convert between different certificate formats like .kdb, .jks, and .pem using tools like OpenSSL and Java Keytool. The document includes commands to generate certificate signing requests and view certificate details.

Uploaded by

jsantosh_d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

1

What is SSL ?
How to create Certs for IHS ?
How to renew certs from Existing KDB file ?
OpenSSL

Q&A

2
SSL
SSL ( Secure Sockets Layer) is a standard
Security technology to establish connection
between server and client browsers.
Algorithms:
MD5 Hash Algorithm
RSA public Key cryptography
SHA-1 (128), 1024 -bit
SHA-2(256) , 2048-bit (Approved by NIST)
SHA-384,512
SHA-3 Not yet approved by NIST
What is Certificate authority ( CA) ?
CA is an entity that issues a digital certificates

Root Certificate: Unsigned Publickey or Self Signed

How to order certs?


1) Gather required Info. Like CN, O, OU ,S and C
2) Generate CSR
3) Submit the CSR to Certificate Authority.
4) Receive and Install Certificate

4
How to create a cert DB?

/bin/gsk8capicmd -keydb -create -db dcentral523.kdb -pw password01 -type cms


-expire 1000 stash

/bin/gsk8capicmd -cert -create -db dcentral523.kdb -pw password01 -size 2048


-dn "CN=dcentral523.intra.aexp.com,OU=Web Hosting,O=American Express
Company,
L=Phoenix,ST=A rizona,C=US" -label dcentral523.intra.aexp.com -sigalg
sha256 -expire 800

/bin/gsk8capicmd -cert -details -db dcentral523.kdb -label


dcentral523.intra.aexp.com
Source database password :
Label : dcentral523.intra.aexp.com
Key Size : 2048
Version : X509 V3
Serial : 123c3b002f299f8e
Issuer : cn=dcentral523.intra.aexp.com, ou=Web Hosting, o =American Express
Company, l =Phoenix, st =Arizona, c =US
Subject : cn=dcentral523.intra.aexp.com, ou=Web Hosting, o =American
Express Company, l =Phoenix, st =Arizona, c =US
Not Before : March 9, 2015 2:56:55 PM MST
Not After : May 18, 2017 2:56:55 PM MST

5
How to renew a cert from existing KDB?

/bin/gsk8capicmd -certreq -recreate -db


dcentral523.kdb -pw password01 -type cms
-label dcentral523.intra.aexp.com -sig_alg
sha256 -target dcentral523.csr

Convert .kdb/jks to .key file using openSSL


a) Convert .kdb/.jks to PKCS12 using Keytool
b) Convert PKCS12 to pem Using OpenSSL

6
OpenSSL
What is OpenSSL ?
OpenSSL is an Open-Source
implementation of SSL and TLS protocol.

Version: 1.0.2 (released on Jan 22, 2015)

Algorithm: Its support most of all


cryptographic Algorithm.
Most of webservers are support openssl certs

7
IBMIHS -- .kdb (GSK Toolkit)
Websphere - .jks/.p12 ( Java Keytool)
Apache - .key
Tomcat/Jboss - .key
SunOne -- .db

8
Create a CSR
openssl req -new -newkey rsa:2048 -nodes
-sha256 -keyout server.key -out server.csr

View the CSR


openssl req -verify -noout -text -in server.csr

View the CN from .pem/.crt


openssl x509 -subject -dates -issuer -noout
-in server.crt
9
iKeyMan Demo

10
Q&A

11

You might also like