Adding certificates to a key database file

After you obtain a signed certificate from a certificate authority (CA), use the IBM® Key Management utility to store the certificate to the key file database. If the root signer certificate is not already included in the key database file, you must also add it and any intermediate certificates.

Before you begin

Purchase a certificate from a CA and submit a certificate request that you generate from the IBM® Key Management tool to the CA.

About this task

To enable clients to make secure connection to the HTTP access service, you must install a certificate from a trusted third-party CA on the SafeLinx Server. To install an X.509 certificate on the SafeLinx Server, use the IBM® Key Management tool to store the certificate to the key file database.

The Key Management tool provides several methods to store certificates in the key file database. The method that you use depends on the type of certificate and the process that you used to obtain it. For signer certificates for a root CA or intermediate CA, use the add method. For personal certificates that you receive in response to a certificate request that you initiated from the tool, use the receive method. For personal certificates that you obtain through other means, use the import method.

Certificate authorities create and deliver certificates in different file formats. The IBM® Key Management tool works best when certificates are in PKCS12 (.p12) format. When you request a certificate, notify the CA that you would like the certificate to be returned in PKCS12 format. If you receive certificates in other formats and cannot process them, convert them to another format. For example, you might import a certificate file that is in .PEM format into a browser, and then export the file in Base-64-encoded .DER format. Specific information about how to convert certificates from one format to another is beyond the scope of these instructions.

The following procedure describes how to add signer certificates and receive personal certificates that are in PKCS12 format. This procedure applies to certificates that you receive in response to a certificate request that you initiate from the Key Management tool.

Procedure

  1. Open the IBM® Key Management utility on the SafeLinx Server.
    • From Windows, log in as an administrator, and then click Start > All Programs > HCL SafeLinx > Key management.
    • From Linux, log in as root, and from a command line, type 
      wg_ikeyman
  2. Click Key Database File > Open In the Key database type, click then click CMS.
  3. Type the file name and location of the certificate to open and click OK.
    For example, on Windows, to open the default key file database for HTTP access services, you might type C:\Program Files\ibm\SafeLinx Server\http.trusted.kdb.
  4. When prompted, type the password for the key database.
    Passwords are case-sensitive.
  5. In the Key database content section, open the list, and then click Signer Certificates.
  6. To add the signer certificate, click Add, type the file name and location of the signer certificate, and then click OK.
  7. From the contents of the certificate, choose the certificates that you want to add.
    You can select multiple entries.
  8. If you want to rename a certificate in the list, type a new label for it and then and click Apply.
  9. Click OK to complete the process of adding the certificate.
  10. To add a new personal certificate, in the Key database content section, open the list, and then click Personal Certificates.
  11. For certificates that you receive in response to a request that you generated from the Key Management tool, click Receive, type the full path to the file, and then click OK.

    When you use the Receive option, the certificate is matched to the original certificate request. This certificate request is removed from the key database because it is no longer needed.

    The certificate is displayed in the Personal Certificates view. If a previous certificate exists in the key database, you are prompted to confirm whether you want to set the key as the default key in the database. For a certificate that you receive to replace an expiring certificate, click No if the old certificate is not yet expired. Click Yes if you want SafeLinx to use the new certificate now to identify itself to connecting devices. When you are ready to designate a different certificate as the default, double-click the certificate, select Set the certificate as the default, and then click OK.
  12. Close the key database file.
  13. Shut down and restart the SafeLinx Server to activate the change.

What to do next

After you add a certificate and signing certificate to the key database file, view the properties of the component that uses the certificate to verify that it is set to use this key database file.