PKCS12 with IBM HTTP Server 8.0.0.9 / 8.5.5.2 and later

IBM HTTP Server (or the WAS WebServer Plug-in) 8.0.0.9 / 8.5.5.2 and later support using PKCS12 key stores directly. Generally, PKCS12 files created and maintained by any tools can be used, but the files must adhere to a few criteria as listed below.

Provide feedback on the IBM HTTP Server forum on IBM developerWorks.

PKCS12 requirements

PKCS12 files used with IBM HTTP Server must meet a few criteria.

Complete certificate chain in PKCS12

The PKCS12 file must contain the complete certificate chain for any end-entity certificate inside the file. If using openssl to create the PKCS12 file, this means the root should be included with "-certfile" and/or "-chain" parameters should be included to make sure the root and any intermediate certs are present.

$ openssl pkcs12 -cacerts -nokeys ... should return the certificates trust chain.

PKCS12 password requirements

  • The PKCS12 file must be password protected. The password can be stashed with gskcapicmd (bin/gskcapicmd -keydb -stashpw ...). or interactively with ikeyman.
  • If the private keys in the PKCS12 file are encrypted, they must be encrypted with the same password as the overall PKCS12 file.

Certificate label equirements

For a certificate to be usable in IHS, the certificate must have a PKCS12 "friendly name" and that name must be passed to SSLServerCert.

 $ openssl pkcs12 -in pkcs12test.p12 -nokeys -clcerts|grep friendlyName
    friendlyName: mycert

Because some tools may fold the case of friendly names, using lowercase characters only is recommended.