0

I'm running 2 IBM HTTP Servers (7.0) on different machines, and I'm updating the SSL certificates for both. The certificate is a wildcard certificate.

I have successfully updated the certificate for the server that I generated the update request from, and all seems well there.

My problem occurs when trying to re-use the certificate on my second server. I have read several sites that state that I need to export the certificate from the first server (using iKeyMan), then copy it to the second server. Then create a new KDB file, and import the certificate. I've done this, and when looking at the contents of the new KDB file it seems complete (it has all the certificates required - root, intermediate, etc).

However when I try to use the files (the KDB and the corresponding STH file) in my server configuration, it fails - the server starts but my certificate is not installed.

Anyone know what I'm doing incorrectly?

Zoran Regvart
  • 4,630
  • 22
  • 35
ben_979
  • 163
  • 3
  • 18
  • Have you tried simply copying the `.kdb` and `.sth` files over to the other server? Have you checked for errors in the IHS logs? Does the `SSLServerCert` directive hold the label of the certificate in the `.kdb` file? – Zoran Regvart Oct 30 '15 at 23:05
  • Yes, I tried just copying the `.kdb`, `.sth` and `.rdb` files without success. The error log contains this: `SSL Handshake Failed, Specified label could not be found in the key file.` – ben_979 Oct 30 '15 at 23:15
  • Bingo. I didn't realize that the SSLServerCert directive had to match the label in the .kdb . (I'm replacing an existing certificate and didn't understand the correlation) That worked, thank you very much. Please submit an answer and I'll accept it. – ben_979 Oct 30 '15 at 23:23

2 Answers2

2

The error message "SSL Handshake Failed, Specified label could not be found in the key file" reported in the error log file the IBM HTTP Server was not able to find a personal certificate stored in the KDB key database file and is because of the SSL configuration: 

For example: 
Listen 0.0.0.0:443
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

<VirtualHost 0.0.0.0:443>
ServerName fullyqualifyname or site name.
SSLEnable
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "c:/program files/ibm http server/key.kdb"

This is the most commonly used SSL VirtualHost Stanza configuration. The IBM HTTP Server is design to search for a personal certificate stored in the KDB key database file from personal certificate section marked as default.

Open the KDB key database file using ikeyman utility, inside the personal certificate section, double click on the certificate label name or click on View/Edit button to display the Key information certificate context and look at the bottom left corner there is a box to place a check mark to “Set the certificate as default”. Once place a check mark and click OK the certificate label name will change:

From: 
*.ibm.com 

To: 
 * *.ibm.com

Stop and start the IBM HTTP Server to recognize the changes made in the KDB key database file. Retry to send an https request to the IBM HTTP Server. Now, the web server search finds and presents the personal certificate marked as default to the client browser during an SSL handshake. If there is only one personal certificate stored in the IBM HTTP Server KDB key file recommend to use this method. Using the SSLServerCert directive with the certificate label name, it a valid option. However, it is useful and required when you have multiple certificates stored in the key database file along with multiple SSL Virtualhosts stanza configuration. Review the following IBM Technote click here for guidance on how to configure SSL within the IBM HTTP Server.

Louie_G
  • 21
  • 6
0

As discussed in the comments, the SSLServerCert directive value must match the label of the certificate to be used in the .kdb file. Using the Key Management Utility (IKEYMAN) utility labels can be inspected in the Personal Certificates section.

Zoran Regvart
  • 4,630
  • 22
  • 35