Home

 

Add certificates to IBM HTTP Server

Add signer certificates to an IBM HTTP Server plug-in for a stand-alone deployment.

Before you complete this procedure, ensure that IBM HTTP Server is configured to support SSL. For more information, see the Configuring IBM HTTP Server for SSL topic.

To establish trusted communication between IBM HTTP Server and a Web browser, import signer certificates from WebSphere Application Server.

There are different types of certificates that you can use. This procedure describes how to import the self-signed certificate that is shipped with Websphere Application Server. You can also import a certificate that you purchased from a third-party Certificate Authority, or create a new self-signed certificate. To help decide a key strategy for your environment, go the IBM HTTP Server information center. To import a public WebSphere Application Server certificate into the IBM HTTP Server plug-in...

1. Copy the plugin-key.kdb file from the ibm_http_server_root/Plugins/config/webserver1 to the app_server_root/profiles/AppSrv01/config/cells/cell_name/nodes/<node_name>/servers/<Webserver_name> directory, where cell_name, <node_name>, and <Webserver_name> are the names of your WebSphere Application Server cell, the name of the node that you are configuring, and your Web server, respectively.

2. Log into the IBM WAS admin console and select Security > SSL Certificate and key management > Key stores and certificates.

3. Click NodeDefaultKeyStore.

4. Click Personal Certificates.

5. Select the check box beside the default certificate and click Extract.

6. Enter a fully-qualified Certificate file name. If you do not specify a path, the certificate is stored in the app_server_root/profiles/profile_name/etc directory, where profile_name is the name of the current WebSphere Application Server profile.

7. Click OK to extract the file.

8. In the IBM WAS admin console, select Servers > Web servers.

9. Click <Webserver_name>, where <Webserver_name> is the name of your IBM HTTP Server Web server.

10. Click Plug-in properties and then click Manage keys and certificates.

11. Under Additional Properties, click Signer certificates, and then click Add.

12. Enter the certificate Alias and its fully-qualified File name, and click OK.

13. Click Save to import the file.

14. In the IBM WAS admin console, select Servers > Web servers > Plug-in properties.

15. From the Plug-in properties page, click Copy to Web server key store to synchronize the KDB file with IBM HTTP Server.

16. Restart IBM HTTP Server to apply the changes.

 

Results

If your configuration changes aren't successful, ensure that you have applied the instructions to configure a default personal certificate.

The proxy-config.tpl file allows the proxy to work with self-signed certificates. This is true out-of-the-box but for improved security you should set the value of the unsigned_ssl_certificate_support property to false when your deployment is ready for production.

• Add certificates to a network deployment with IBM HTTP Server
  Add signer certificates to an IBM HTTP Server plug-in for a network deployment.

Configure IBM HTTP Server

Previous topic:

Configure IBM HTTP Server for SSL

Next topic:

Instructing Web browsers to cache content

 

Related tasks

Map features to IBM HTTP Server

---

+

Search Tips   |   Advanced Search