2. Start “Start Key Management Utility”
4. It will prompt for a password. It is present at D:\IBM\HTTPServer\KeyFile DB\Password for KDB file.txt
5. Under “Personal Certificate” select the active certificate (Active cert will have * sign with it.) and click on “View/Edit”
6. Copy the common name (CN) and Key label.
CN=absn-qa.OUgc.net
Key label: absent_SHA2_2015
7. Select “Personal Certificate Requests” in the dropdown of “Key database content” and click on “New…”
8. Enter the same “Key label” and CN name in below along with all necessary details:
9. CSR will now be generated at path : D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certreq.arm
(Screenshot in step 8 has this path)
10. Open the link to submit the CSR generated in step9.
11. Submit the Request ID to Certificate Key Management team within your organisation.
12. Once this is processed, download the server cert and root cert. Place it on the server at the same location:
D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certnew.cer
D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certreq.p7b
D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certnew.cer
D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certreq.p7b
13. Start “Key Management Utility” and open the KDB file which we took the backup
D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\absnet.kdb
D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\absnet.kdb
14. In dropdown, select “Personal Certificate” and click on “Receive…”
15. Now, browse to the location where we kept the new server cert. Select and Ok.
On QA: D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certnew.cer
On QA: D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certnew.cer
16. Upon clicking “Ok”, the new cert will be visible under “Personal Certificates”
17. Click on “View/Edit…” and verify the certificate.
18. Select “Signer Certificates” under “Key Database content” dropdown and click on “Add…”
19. Click on “Browse” and select the root certificate “certnew.p7b”
QA: D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certnew.p7b
QA: D:\IBM\HTTPServer\KeyFile DB\SSL_Cert_renewal\certnew.p7b
20. Once you click “Ok”, new window will open. Select the two root certificates as below and “OK”:
21. The two root certs will now be available under “Signer Certificates”:
22. Go to services and restart the below service:
23. Test the certificate.
24. Once the testing is complete, take a new backup of below three files
at “D:\IBM\HTTPServer\KeyFile DB\New Backup”
at “D:\IBM\HTTPServer\KeyFile DB\New Backup”
26. To import the same certificate on other server, copy over the three files (.kdb, .rdb & .sth) to “D:\IBM\HTTPServer\KeyFile DB”.
(Take a backup before replacing.)
Also,You can use export key option which will create .kdb & .rdb files after that you can import those on the destination server.
(Take a backup before replacing.)
Also,You can use export key option which will create .kdb & .rdb files after that you can import those on the destination server.
27. Restart the service.
NOTE: In the beginning we used same key label (absent_SHA2_2015) to avoid any configuration changes in file present at “D:\IBM\HTTPServer\conf\httpd.conf”
At the very end of that file:
<VirtualHost *:443>
SSLEnable
SSLServerCert absnet_SHA2_2015
SSLClientAuth 0
Keyfile "D:\IBM\HTTPServer\KeyFile DB\absnet.kdb"
CustomLog "|bin/rotatelogs.exe logs/access_ssl.%Y-%m-%d.log 86400" common
SSLProtocolDisable SSLv2
</VirtualHost>
SSLEnable
SSLServerCert absnet_SHA2_2015
SSLClientAuth 0
Keyfile "D:\IBM\HTTPServer\KeyFile DB\absnet.kdb"
CustomLog "|bin/rotatelogs.exe logs/access_ssl.%Y-%m-%d.log 86400" common
SSLProtocolDisable SSLv2
</VirtualHost>
that'surely a very useful info for me
ReplyDeleteGlad to hear that :)
ReplyDelete