Manage keys with the IKEYMAN graphical interface (Distributed systems)

This section describes topics on how to set up and use the key management utility (IKEYMAN) with IBM® HTTP Server. Using the graphical user interface, rather than the command line interface, is recommended.


Before you begin

Ensure that the required compat-libstdc++ package exists for your operating system architecture. For more information, see the installation and verification information for Linux packages.


About this task

Global Security Kit (GSKit) certificate management tools are installed in the <ihsinst>/bin/ directory. These tools should only be run from the installation directory. Examples for the following commands should include the full directory path, such as <ihsinst>/bin/gskcmd.

  • gskver

  • ikeyman

  • gskcapicmd

  • gskcmd

For IKEYMAN, we can run the following command in the installation directory to generate debug information.

<ihsinst>/bin/ikeyman -x

To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server.


Procedure

  • Start the Key Management utility user interface. Use IKEYMAN to create key databases, public and private key pairs, and certificate requests.

  • Work with key databases. We can use one key database for all your key pairs and certificates, or create multiple databases.

  • Change the database password. When you create a new key database, you specify a key database password, which protects the private key. The private key is the only key that can sign documents or decrypt messages that are encrypted with the public key. Changing the key database password frequently is a good practice.

  • Create a new key pair and certificate request. You find key pairs and certificate requests stored in a key database.

  • Import and export your key into another database or to a PKCS12 file. PKCS12 is a standard for securely storing private keys and certificates.

  • List certificate authorities within a key database.

  • Display certificate expiration date your key database by viewing the certificate information with the IKEYMAN Key Management utility GUI or using the gskcmd command.

  • If you act as your own CA, we can use IKEYMAN to create self-signed certificates.

  • Receive a signed certificate from a certificate authority. If you act as your own CA for a private Web network, you have the option to use the server CA utility to generate and issue signed certificates to clients and servers in your private network.

  • Display default keys and certificate authorities within a key database.

  • Store a certificate from a certificate authority (CA) that is not a trusted CA.

  • Store the encrypted database password in a stash file.

  • Use IKEYMAN to create key databases, public and private key pairs, and certificate requests.

  • If you act as your own CA, we can use IKEYMAN to create self-signed certificates.

  • If you act as your own CA for a private Web network, you have the option to use the server CA utility to generate and issue signed certificates to clients and servers in your private network.


What to do next

You may experience a certificate problem when you open a certificate that has a key with a higher level of cryptography than your policy files permit. We can optionally install unlimited strength JCE policy files.

For more information about the IKEYMAN utility, see the IKEYMAN User's Guide on the IHS Library page.


Related concepts


Related tasks