Install SSL Certificate IBM HTTP Server

Overview. You will need to import two certificates. First the root certificate and then the SSL server certificate. Both of these certificates are included in the body of the fulfillment email from GeoCerts. Both certificates are also available from your GeoCerts SSL Manager account (recommended).

Before You Begin

To work with certificates on your IBM server, IBM has a tool called IBM Key Management Utility (IKEYMAN). IKEYMAN is used to create key databases, public-private key pairs, and certificate requests. In order to use IKEYMAN you have to setup your system environment to be able to run IKEYMAN.

Set up your System Environment to run IKEYMAN

• Set the home where the JDK is installed: EXPORT JAVA_HOME=the JDK home directory full path name
• The minimum JDK level for IKEYMAN support: On AIX: 1.1.6+ or 1.1.8, On WIN32: 1.1.8, On HP, SUN and Linux: 1.1.7
• If you want the ability to run IKEYMAN from any directory, add the path where IKEYMAN is installed to your PATH environment variable: EXPORT PATH=$IKEYMAN_HOME/bin:$PATH

Starting and Using IKEYMAN

To start the IKEYMAN graphical user interface:

• On AIX, Linux, or Solaris,type ikeyman on the command line.
• On Windows, go to the start UI and select Start Key Management Utility.

Step 1: Import and Install the GeoTrust Root CA Certificate

1. First you will need to install the GeoTrust Root CA Certificate. Copy-and-paste the root certificate from the body of the fulfillment email into a simple text editor such as Notepad.
   
   
2. Save the file to your server as geotrustroot.txt.
3. Start the IBM Key Management utility, IKEYMAN.
4. In the Key Management panel, go to the pull-down menu and select Signer Certificates.
5. Since the Trusted Root is a text file, select Base64-ASCII encoded data type and change the "*.arm" type to "*.txt" file type. Hit the Browse button and select the Trusted Root certificate .txt file - type the label as Equifax Secure Certificate Authority. This certificate should immediately show up in the list of Signer Certificates.

Step 2: Import and Install the SSL Server Certificate

1. Next install your SSL Server Certificate (public key). Copy-and-paste the server certificate from the body of the fulfillment email into a simple text editor such as Notepad.
2. Save the file to your server as public.txt.
3. In the Key Management panel, go to the pull-down menu and select Personal Certificates. Since your new web server certificate is now a text file, select Base64-ASCII encoded data type and change the "*.arm" type to "*.txt" file type. Hit the Receive button and browse to and select your web server certificate file you saved in Step 2. This certificate should immediately show up in the list of Personal Certificates. You can View/Edit to verify your certificate.
4. Add the desired/required modules to complete your server configuration, including setting up SSL Port 443.
5. Check your httpd.conf configuration to verify the path to the appropriate key file ("key.db").
6. Stop, and then Start your IBM HTTP Server.

Troubleshooting/Testing

To verify if your certificate is installed correctly, use the GeoTrust Certificate Installation Checker.

Test your SSL certificate by using a browser to connect to your server. Use the https protocol directive. For example, if your SSL was issued to secure.mysite.com, enter https://secure.mysite.com into your browser.

Your browser's padlock icon will be displayed in the locked position if your certificate is installed correctly and the server is properly configured for SSL.

Additional Resources:

These instructions are derived from documentation on the IBM web site:

• Learn more about securing your IBM HTTP Server
• Learn more about IKEYMAN at IBM