I have a love/hate relationship with iKeyman. It never seems to want to work the way I think it should.
Take the instance when a customer manages their SSL keys online, and creates the private certs without actually creating a CSR on the host machine. It just gets tricky. iKeyman won’t allow you to import the private key, and if you try to install the new certificate, you’ll get an error along the lines of “No CSR found for Certificate”
What you can do is use 3rd party tools to create a .p12 certificate, then import this into a new .kdb.
So here is my cheat sheet for how I got this working.
- Extract the certificates from email.
- Use OpenSSL to create a p12
- Create a new KDB
- Import the root certificates, intermediate certificates
- Import the Personal certificate
Copy the certificates from the email you have been provided. In my case I had the new trusted cert, the Intermediate and I had to get the Private key as well.
Copy the text certificates from the email and create a file with the extensions like the following for each. In my case I had 3, NewCert.key, NewPrvKey.crt and Intermediate.cer.
They will look something like below.
Once you’ve done this, you’ll need access to OpenSSL. I’m on a Mac, so this is installed already.
OpenSSL is accessed via Terminal.
OpenSSL will be used to create a .p12 file so we can import into iKeyman. Use the following command.
openssl pkcs12 -export -name "NewKey" -inkey ~/Desktop/NewPrvKey.crt -in ~/Desktop/NewCert.key -out ~/Desktop/NewCert.p12 -keypbe PBE-SHA1-RC2-40
You’ll be prompted for a password for the .p12 you are creating. Remember this, you’ll need it.
Ok.You’ve now got a .p12 . Transfer this to your IHS server, along with the Intermediate.cer that you created previously.
Fire up iKeyman, I’m running this on my IBM HTTP Server.
Now we are going to –
- Extract the existing trusted root and intermediates from the old KDB (optional)
- Create a new KDB
- Import the Trusted root and intermediates if you need to (optional)
- Import your private keys
Import the Intermediate Certificate, and also if you required to pull in the other Root Certificates. I’m using TrustiCo so this is the following. I had these already in another keystore, so I just Extracted and then imported from the .kdb I was replacing.
Create a new .kdb, I’m calling mine 2015Key.kdb.
Make sure to stash the “Password to a file”, then hit OK.
Now select “Personal Certificates”
Change the Keyfile type to PKCS12 and browse to our .p12 certificate.
Enter your password for the .p12, then change the label to something that makes sense. Hit Apply and OK
This will import the new certificate for your server into the KDB file. If it is the only one, it should automatically be set as the default.
Once done you can then Validate trust (Personal Certificates>Validate). If everything is working, then it should give you a nice “Validation successful” If not, you more than likely don’t have the correct Trust Chain. Go to the vendor of your 3rd party cert and get the correct signer certs.
Then all that is left is change the IHS server config to point to the new key and stash (.kdb, .sth). Restart IHS and you should be good to go..