IBM HTTP Server (or the WAS WebServer Plug-in) 8.0.0.9 / 8.5.5.2 and later support using PKCS12 key stores directly. Generally, PKCS12 files created and maintained by any tools can be used, but the files must adhere to a few criteria as listed below.
Provide feedback on the IBM HTTP Server forum on IBM developerWorks.
The PKCS12 file must contain the complete certificate chain for any end-entity certificate inside the file. If using openssl to create the PKCS12 file, this means the root should be included with "-certfile" and/or "-chain" parameters should be included to make sure the root and any intermediate certs are present.
$ openssl pkcs12 -cacerts -nokeys ...
should return the
certificates trust chain.
bin/gskcapicmd -keydb -stashpw ...
). or
interactively with ikeyman. For a certificate to be usable in IHS, the certificate must have a PKCS12
"friendly name" and that name must be passed to SSLServerCert
.
$ openssl pkcs12 -in pkcs12test.p12 -nokeys -clcerts|grep friendlyName friendlyName: mycert
Because some tools may fold the case of friendly names, using lowercase characters only is recommended.