Converting SSL Keys to ikeyman Format

I am posting this on my blog so it gets out on google.

Recently I had to help a colleague convert a key that was created in openssl and submitted to a Certificate Authority. I had problems w/ this in the past, and apparently 5 different helpdesks couldn’t help him. SO here goes….

First off, if you are having problems w/ ikeyman on a server, you can always install IBM HTTP Server on your windows workstation and run the ikeyman utility (called Start Key Management Utility under the IBM HTTP Server entry in the start menu). The keys are the same, and are independent of the actual server itself. Even the information you provide doesn’t really have any bearing on the key itself, except for reference from the key authorities perspective. Another common problem is not having the JAVA_HOME set to the location of your java executable. Mine’s set to the JRE directory under the j2sdk installation directory (ie… JAVA_HOME is set to c:\java\j2sdk_1.4.3.2\jre … something like that).

Another common problem with older versions of IHS & ikeyman/gskit is the JCE not found error. Try setting JAVA_HOME first, then update the files as necessary if you continue to receive this error.

The way to convert any key pair is simple:

  1. Download the IBM Keyman utility.

  2. Open the keys in keyman.

  3. Export the key as a PKCS#12 database using no encryption. This merely sets the pkcs12 file’s encryption to none. Delete this file once you’ve successfully imported it into ikeyman.

  4. Import the key into ikeyman using previously defined passphrase for the PKCS12 database

And that’s it. You should then be able to setup ssl in IHS using the ikeyman db and everything should be smooth after this step. You might have to import the Trusted Root certificate used to sign the ca cert into ikeyman, especially if its not a mainstream CA.

Good Luck!

Leave a Reply

You must be logged in to post a comment.