www.michalscorner.com what I have recently discovered

how to import wildcard iis ssl certificate to ibm ihs

today I have spent some time trying to import wildcard ssl certificate which was issued for IIS into IBM IHS. Not that easy as I thought it would be. Here is what I have done to achieve it.

First you have to export SSL certificate from IIS

1. Login to windows server
2. Click Start -> Run
3. Run MMC
4. Click on File -> Add/Remove Snap-in
5. Click on Add -> Certificates
6. Select Computer Account
7. Click Next
8. Select Local Computer
9. Click Finish
10. Click OK to close active window
11. Expand Certificates
12. Expand Personal
13. Select Certificates
14. Use right click on certificate you'd like to export
15. Follow all the steps in Certificate Export Wizard
    
16. Make sure you selected Yes, export private key
17. Select Include all certificates in certificate path...
18. Make sure you remember choosen password
19. Select location pfx file should be saved into
20. Click Finish

Once you have pfx file exported transfer it to some temporary location on the server your IHS is installed and follow steps below to convert pfx certificate to cer

1. Login to your server
2. Make sure you have openssl installed
3. Execute following command
   openssl pkcs12 -in /your/temp/location/certificate.pfx -out /your/temp/location/certificate.cer -nodes
4. Check if cer file was saved

Now ssl certificate you exported from IIS is ready to be imported. To import certificate see steps below.

1. Navigate to <ihs_root>/bin
2. Export display to any machine can handle x-session
   export DISPLAY=127.120.12.12:0.0
3. Launch ikeyman
   
   ./ikeyman
4. Create new keystore database
5. Provide password you will remember
6. Make sure stash password option is selected
7. Select Personal Certificates from dropdown menu
8. Click on Import
9. Click on Browse and navigate to location your certificate is located
10. Select the file and click OK
11. Type in password you selected while exporting your certificate from IIS
12. Click OK
    
13. Certificate should appear imediately in the Personal Certificates section

If there were no errors you are done. The most common error says "Key databased has been corrupted". In this case you have to follow additional steps in order to be able to import it.

1. Identify JRE version of your IHS by issuing following command
   /<ihs_root>/java/jre/bin/java -fullversion
2. Based on the above command output download respective files
   • Version 1.4.1 and lower
     ibm site
   • Version 1.4.2 and higher
     unrestricted_policy.zip or ibm site
3. Back up following files local_policy.jar and US_export_policy.jar
   cp /<ihs_root>/java/jre/lib/security/local_policy.jar local_policy.jar.orig
cp /<ihs_root>/java/jre/lib/security/US_export_policy.jar
4. Extract downloaded zip container and move both files to destination folder
   unzip unrestricted.zip
mv *policy.jar /<ihs_root>/java/jre/lib/security/
5. Restart ikeyman tool
   /<ihs_root>/bin/ikeyman
6. Open previously created key store
   
7. Type in password
8. Select Personal Certificates from dropdown menu
9. Click on Import
10. Click on Browse and navigate to location your certificate is located
11. Select the file and click OK
12. Type in password you selected while exporting your certificate from IIS
13. Click OK
    
14. Certificate should appear imediately in the Personal Certificates section

Done