IBM GSKit
We can create a self signed root certificate using the IBM GSKit. In this example we are using Windows. Normally I use Linux for my demos, but I had to do this for a client-contract in a Windows environment and so I decided to add some of the know-how to this blog entry as a part of my IBM HTTP Server how-to guides for Windows. If you are using AIX or Linux, I am sure you can use this guide as reference, however there are often a few nuances that might be different on the ‘nix platforms.
Note: Only use gsk7cmd, the command line interface, if you are unable to implement IKEYMAN, the graphical user interface.
Global Security Kit (GSKit) certificate management tools are installed in the <ihs_install_root>/bin/ directory. These tools should only be run from the installation directory. Examples for the following commands should include the full directory path, such as <ihs_install_root>/bin/gsk7cmd.
| D:\ihs7\bin>gsk7cmd.bat -help |
| Object Action Description —— —— ———– -keydb -changepw Change the password for a key database -convert Convert the format of a key database -create Create a key database -delete Delete a key database -expiry Display password expiry -list Currently supported types of key database. -stashpw Stash the password of a key database into a file -cert -add Add a CA Certificate -create Create a self-signed certificate -delete Delete a certificate -details Show the details of a specific certificate -export Export a personal certificate and associated private key into a PKCS12 file or a key database -extract Extract a certificate from a key database -getdefault Show the default personal certificate -import Import a certificate from a key database or a PKCS12 file -list List certificates in a key database -listsigners List signer certificates delivered with ikeyman -modify Modify a certificate (NOTE: the only field that may be modified is the trust field) -populate Populate with included CA Certificates -receive Receive a certificate -rename Rename a certificate -setdefault Set the default personal certificate -sign Sign a certificate -certreq -create Create a certificate request -delete Delete a certificate request from a certificate request database -details Show the details of a specific certificate request -extract Extract a certificate from a certificate request database -list List all certificate requests in a certificate request database -recreate Recreate a certificate request -seckey -create Create a secret key -delete Delete a secret key -details Show the details of a specific secret key -export Export secret keys to a file -import Import secret keys from a file -list List all secret keys in a key database -rename Rename a secret key -version Display iKeyman version information -help Display this help text |
Creating a new key database using the command-line interface
A key database is a file that the server uses to store one or more key pairs and certificates.
Note: You can use one key database for all your key pairs and certificates, or create multiple databases. This is also known as key ring in web terms.
Overview
To create a new key database using the gsk7cmd command-line interface enter a command using the following syntax:
| <ihsinst>/bin/gsk7cmd -keydb -create -db <filename> -pw <password> -type <cms | jks | jceks | pks12> -expire <days> -stash |
Command Line options explained:
| Parameter / options | Description |
| -db <filename> | The name of the key database which will be created in the specified path. |
| -expire <days> | The number of days before password expires.
This parameter is only valid for CMS key databases. |
| -keydb | Specifies the command is for the key database sub command. |
| -pw <password> | The password to secure the key database. |
| -type <cms | jks | jceks | pkcsk> | The database type.
Note: IBM HTTP Server only handles a CMS key database. |
| -stash | Stashes the password for the key database.
When the -stash option is specified during the key database creation, the password is stashed in a file with a filename built as follows: <filename_of_key_database>.sth Note: Stashing the password is required for IBM HTTP Server. |
Note: You can create a new key database using the GSKCapiCmd tool. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system. For example
<ihsinst>/bin/gsk7capicmd -keydb -create -db <name> [-pw <passwd>] [-type <cms>] [-expire <days>] [-stash] [-fips] [-strong]
Example: Steps to create a new key db file the command line
- Run the following command to create a new key database via the command line
| cd D:\ihs7\bin |
| gsk7cmd.bat -keydb -create -db D:\ihs7\bin\mykey.kdb -pw ihsadmin -type cms -stash -expire 15 |
- The result is a new key database created in the pass specified
- Just to see what it contains we will quickly us the IBM ikeyman tool to inspect the mykey.kdb file.
- Launch ikeyman.bat and a Java GUI will load.
D:\ihs7\bin\ikeyman.bet
- Select Key Database file | Open to open the mykey.kdb file
- We will need to ensure that the type is CMS at this stage
- Type the password, It is currently ihsadmin as per our create command earlier
- Currently the key database is empty ie we have no Personal Certificates, Signer certificates or Personal Certificate requests (CSR).
As seen below…
Note: We can create a new self signed certificate using the ikeyman tool, but at this time we want to learn how to use the gskit command line tool.
- Close the ikeyman tool GUI
Changing the password via the command line
To change the password for a key database using the gsk7cmd command-line interface. Enter the following command as one line:
| <his_install_root>/bin/gsk7cmd -keydb -changepw -db <filename>.kdb -pw <password> -new_pw <new_password> -expire <days> -stash |
Command Line options explained:
| Parameter / options | Description |
| -db <filename> | The name of the database. |
| -changepw | Specifies to change the password. |
| -keydb | Specifies the command is for the key database. |
| -new_pw <new_password> | The new key database password.
This password must be different than the old password and cannot be a NULL string. |
| -pw <password> | The current password to access the key database. |
| -expire <days> | The number of days before password expires. This parameter is only valid for CMS key databases. |
| -stash | Stashes the password for the key database.
This parameter is only valid for CMS key databases. Stashing the password is required for IBM HTTP Server SSL configuration in httpd.conf |
Creating a self-signed certificate form the command line
A self-signed certificate provides a certificate to enable SSL sessions between clients and the server. Until you have an official SSL Certificate Authority (CA) who can provide the service of an officially-signed certificate as the result of certificate request (CSR), you can create a self signed certificate.
During the creation of a self-signed certificate, a private and public key are created during this process. Creating a self-signed certificate generates a self-signed X509 certificate in the identified key database. A self-signed certificate has the same issuer name as its subject name.
Note: When WebSphere Application Server profiles are being created you can now import an officially signed certificate. If you do not, the WAS profile management tool PMT part of the WebSphere Customisation Toolbox will create a new self-signed certificate. This allows the system to use SSL transports even when a officially signed certificate does not yet exist. This is why you get the SSL browser error when you try to access the Administrative console for the first time.
Steps to create a new self signed certificate via the command line:
-
Run the following command:
gsk7cmd.bat -cert -create -db D:\ihs7\bin\mykey.kdb -pw ihsadmin -size 2048 -dn “CN=localhost, OU=Web Security, O=WebSphereTools, C=GB” -label myselfsignedcert -default_cert yes -expire 1 -san_dnsname localhost -san_emailaddr steve.robinson@webspheretools.com -san_ipaddr 127.0.0.1 -ca true gsk7cmd -cert -create -db mykeydb.kdb –pw ihsadmin -size 1024 -dn <distinguished_name>
-label label> -default_cert <yes | no> – expire <days> [Updated in September 2010] -san dnsname <DNS name value>[,<DNS name value>]
-san emailaddr <email address value>[,<email address value>] -san ipaddr <IP address value>[,<IP address value>]
[-ca <true | false>]
- Open the ikeyman tool GUI again as explained previously so we can see the new private self-signed certificate
- We can now see that when we set the certificates view to be Personal Certificates as shown below there is now a new self signed certificate with the label “myselfsignedcert”. Take not of this label as we will use it later in the SSL configuration for IHS.
![]()
-
Select the cert as labelled by “myselfsignedcert” and click View/Edit
![]()
As seen below, we can now that the personal certificate has been created and as issued by itself.
Issued to : CN=localhost, OU=Web Security, O=WebSphereTools, C=GB
Issued by: CN=localhost, OU=Web Security, O=WebSphereTools, C=GB
![]()
- Click View details if you wish to get a tree view of the certificate.
