Installing an SSL Certificate on IBM HTTP Server
Sarah MitchellShare
IBM HTTP Server descends from Apache but manages SSL Certificates its own way, through a CMS key database file rather than loose PEM files. The database holds the Private Key, the SSL Certificate, and the chain together, managed either by the graphical iKeyman utility or the gskcapicmd command line tool that ships alongside the server.
This guide uses the command line tool, with every step having a direct iKeyman equivalent for administrators who prefer the interface.
Creating the Key Database
Create the database with a stash option, which stores the password in a companion file so the web server can open the database at startup without prompting.
gskcapicmd -keydb -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw YourPassword -stash
Restrict the resulting files so only the server user can read them, since the stash file effectively contains the password.
Generating the Certificate Signing Request
Create the request inside the database, with the label naming the entry and the distinguished name carrying your hostname as the Common Name (CN).
gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/key.kdb -stashed -label yourdomain -size 2048 -dn "CN=yourdomain.com,O=Your Organization,C=US" -file yourdomain.csr
Submit the resulting file when placing your order and complete validation as normal. Learn About the Validation Procedure 🔗
Adding the Chain and Receiving the SSL Certificate
Download the issued SSL Certificate and the ca-bundle of Intermediate Certificates from the Certificate Authority (CA), both available in the tracking system. View Our Tracking & SSL Management 🔗
Add the Intermediate Certificates to the database first, then receive the issued SSL Certificate against the waiting request, which pairs it with the Private Key.
gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/key.kdb -stashed -label intermediates -file yourdomain.ca-bundle
gskcapicmd -cert -receive -db /opt/IBM/HTTPServer/ssl/key.kdb -stashed -file yourdomain.crt
Receiving before adding the chain is the classic ordering mistake on this platform, producing a validation error that resolves the moment the Intermediate Certificates are present. Learn About Intermediate Certificates 🔗
Enabling SSL in the Configuration
Point the server configuration at the database and enable Secure Sockets Layer (SSL) support inside a virtual host on port 443, referencing the entry by its label.
# httpd.conf LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 443 <VirtualHost *:443> ServerName yourdomain.com SSLEnable SSLServerCert yourdomain </VirtualHost> KeyFile /opt/IBM/HTTPServer/ssl/key.kdb
Restart the server with apachectl restart from the IBM HTTP Server bin directory, and the SSL Certificate goes live.
Verifying the Installation
Load the site over HTTPS and confirm the SSL Certificate details, then run an external scan to confirm the chain reaches fresh clients complete. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗
Troubleshooting Common Installation Problems
A receive failure complaining the request cannot be found means the database holds no matching request, usually because the database was recreated after submission. A reissue against a fresh Certificate Signing Request (CSR) from the current database resolves it. Learn About Reissuing Your SSL Certificate 🔗
A server that prompts for a password at startup, or fails to start unattended, is missing the stash file. Recreate it with the stashpw option against the existing database.
Chain warnings on strict clients mean the Intermediate Certificates were never added. Add them with the cert add command and restart.
Professional Installation Assistance
The CMS database model is unfamiliar territory for administrators arriving from mainstream Apache, and WebSphere environments add their own layers around it.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
