Importing intermediate CA certificates into the keystore

IBM® WebSphere® Application Server creates a certificate chain when the signed certificate is received. The chain is constructed from the signer certificates that are in the keystore at the time the certificate is received. Therefore, it is important to import all intermediate certificates as signer certificates into the keystore before receiving the Certificate Authority-signed certificate. When you purchase a server certificate for Sametime® Gateway, the certificate is issued by a Certificate Authority (CA). The CA can either be a root CA or an intermediary CA.

About this task

If your server certificate is issued by an intermediary CA, then complete the steps that follow, otherwise skip these steps and click Next topic at the end of this topic.

Procedure

  1. Before you import an intermediate CA, first determine if your server's certificate was issued by an intermediary CA:
    1. Save the signed certificate to a text file with a .cer extension. For example: signed-certificate.cer. Include the Begin Certificate and End Certificate lines when you save the file. For example:
      -----BEGIN CERTIFICATE-----
ZZZZ3zCCAkigAwIBAgIDB5iRMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgZZZZQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRZZZZpdHkwHhcNMDcwNjE4MTkwNDI3WhcNMDgwNjE4MTkwNDI3
WjBqMQswCQYDVQQGEwJVUZZZZwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1fc3Rp
bjEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdzdXBwb3J0MRowGAYDVQQDExFydGNn
YXRlLmxvdHVzLmNvbTCBnzANBZZZZiG9w0BAQEFAAOBjQAwgYkCgYEAlb7fl36ti
obgdUzUYoFuJhRVZqItvBskeVFSOqDuQ4TwOAvaPTySx3z7ddFHSHwoFVOVIkU2g
OPiRcPY8oYlZ5R7Bq1fI/t5MFUTJhYw7k6z95jfIufzai2Bn3e+jzm7ivJ5dckEZ
Gm3ajjYQgwjCJBfOh7P9fE13dWJSZZZZzWcCAwEAAaOBrjCBqzAOBgNVHQ8BAf8E
BAMCBPAwHQYDVR0OBBYEFMHrh2oiTGbcBH759lnRZZZZn+NSMDoGA1UdHwQzMDEw
L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/ZZZZGA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjANBZZZZkiG9w0BAQUFAAOBgQBKq8lUVj/DOPuNL/Nn
IGlrr1ot8VoZS7wZZZZlgeQLOmnZjIdRkbaoH04N3W3qZsQVs2/h4JZJj3mKVjjX
FeRVHFFyGZZZZ4hHWH+Zqf/PJwjhVPKEwsiKFaAGJS5VzP3btMG8tGan02zZUE4L
wPZZZZpMmvPI3U12W+76bqyvVg==
-----END CERTIFICATE-----
    2. Double-click on the new file that you created and a Certificate dialog box opens.
    3. Click on the Certification Path tab.
    4. Look at the tree-like structure representing the full certificate chain and determine whether your certificate was issued by the root CA or an intermediary CA.

      If your server is listed one level after the root CA, this indicates that it was issued by that root CA; otherwise the certificate was issued by an intermediary CA.

      For example, the following screen capture shows a certificate chain where an intermediary CA, VeriSign Class 3 Secure Server CA, issued a certificate for stgw.lotus.com.

      Certificate path showing intermediate certicate

    5. If the server certificate is not issued by an intermediary CA, stop here and click Next topic at the end of this topic.
  2. One you determine that the certificate is an intermediate certificate, you must export the certificate from the chain into its own certificate file:
    1. Double-click the server's certificate (i.e. server.cer) file and a Certificate dialog box opens.
    2. Click Certification Path tab.
    3. Highlight an entry of the certificate chain.
    4. Click View Certificate.
    5. In the Certificate dialog window, click the Details tab.
    6. Click Copy to File...
    7. In the Certificate Export Wizard that appears, click Next.
    8. Select Base-64 encoded X.509 (.CER), and click Next.
    9. Type in a unique name for the certificate you are exporting and click Next. For example, "VS-intermediary-CA" for VeriSign's intermediary certificate authority.
    10. Click Finish.
    11. Click OK in the dialog box that displays the following message: The export was successful.
    12. Repeat the preceding sub steps for each intermediate certificate in the chain. Note that there is no need to repeat these steps for the last entry of the chain because the server's certificate already exists. When you are done, you will have a certificate file (.cer) for each entry of the chain.
      In our example, there are three certificate files:
      Table 1. Certificate types and names
      Certificate type Name Certificate file name
      Root VeriSign Class 3 Public Primary CA VS-root-CA.cer
      Intermediary VeriSign Class 3 Secure Server CA VS-intermediary-CA.cer
      Server stgw.lotus.com stgw.cer
  3. Finally, import the intermediary CA certificate into the keystore by completing the following steps:
    1. Using the Integrated Solutions Console, click Security > SSL Certificate and key management.
    2. Click Key stores and certificates.
    3. Click CellDefaultKeyStore.
    4. Click Signer certificates.
    5. Click Add.
    6. In the Alias field, type a short descriptive name for the certificate. For example, "Verisign Intermediary CA."
    7. In the File name field, type the path to the certificate file of the intermediary CA. For example, C:\certs\VS-intermediary-CA.cer.
    8. Accept the default file data type.
    9. Click Apply and Save.
    10. Repeat the preceding steps for each intermediary CA that is part of the certificate chain. In most cases, only one intermediary CA exists.