注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

mylotustips的博客

IBM Lotus协作产品家族经验分享

 
 
 

日志

 
 
关于我

欢迎大家使用SR向IBM800提交问题http://www.ibm.com/support/servicerequest 可以随时查看问题状态,上传文件

网易考拉推荐

How to request and install SSL certificate for IBM HTTP Server from 3rd party CA?  

2015-03-25 17:46:22|  分类: SocialBusiness |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

Question: People care about sensitive data protection in social business,

The documentation in Knowledge center only suggest how to create self-signed certificate,

As more and more modern browsers refuse clients to connect to self-signed certificate

how can we bring more confidence to end users?

Answer:

We suggest customer to buy a SSL certificate first. There are plenty of choices from http://www.ssls.com/

Customer purchased PositiveSSL certificate from Comodo ($14.97 for 3 years, amazing price ! )

 

First of all, site admin need to generate a new KDB file.

Using iKeyman to create a key database file

http://www-01.ibm.com/support/docview.wss?uid=swg21006430

 

How do I create a new "Certificate Request" to send to a CA (for example, Verisign)?

  1. Open the key database file (.kdb) using the iKeyman utility.
  2. In the middle of the iKeyman GUI you will see a section called Key database content.
  3. Click on the "down arrow" to the right, to display a list of three choices.

Select Personal Certificate Requests.

  1. From the Personal Certificate Requests section, click New.

Key Label= (Fully Qualified Domain Name, for example, conn.acme.com.cn)

Key Size= (2048bit)

Common Name= (Fully Qualified Domain Name, for example, conn.acme.com.cn)

Note: This is the name that the CA will register, so it is important it matches the actual SiteName

Organization= (Company Name, for example, ACME)

"Enter the name of a file in which to store the certificate request"

Note: This is the file (.arm) that will contain your request. It is a simple text file that can be opened in any text editor. The information

contained in this file is what the CA (ex. Verisign) needs you to provide them.

 

*Saving this file(.arm) in the same directory as the (.kdb) file is recommended.

5. Once you save the file (.arm) you are done with creating the request.

6. You must now choose a CA and follow the CA's instructions for sending them a the "Certificate Request"

If you choose PositiveSSL from Comodo, follow instructions here to activate the certificate:

https://www.ssls.com/index.php?dispatch=simplekb.article&article_id=657&category_id=58

 

7. Validated domain ownership by entering the verification code sent to admin@acme.com.cn

8. Received 4 files in email from Comodo:

> Signer Certificates:

AddTrustExternalCARoot.crt

COMODORSAAddTrustCA.crt

COMODORSADomainValidationSecureServerCA.crt

> Personal Certificate:

conn_acmecom.crt

 

Followed instructions from Comodo to install CA certificate into the new kdb created earlier:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/819/37/certificate-installation-ibm-http-server

 

How do I receive the Certificate into the Key Database File (.kdb) file after getting it back from the CA?

Note: CAs usually send back an email with the certificate information provided as text in the email.

Take the information provided in the email and copy it into a text file.

Save the text file with a .cert extension or .arm extension.

 

  1. Open the .kdb file using the iKeyman utility.
  2. In the middle of the iKeyman GUI you will see a section called Key database content.
  3. Click on the "down arrow" to the right, to display a list of three choices.
  4. Select Personal Certificates.
  5. From the Personal Certificates section, click Receive.
  6. Data Type= (Leave the default of "Base64-encoded ASCII data")
  7. Browse to the directory that contains the .cert or .arm file
  8. Highlight the file conn_acmecom.crt and click Open.
  9. Now click OK on this dialog box
  10. Select Signer Certificates.
  11. From the Signer Certificates section, click Add.
  12. Data Type= (Leave the default of "Base64-encoded ASCII data")
  13. Browse to the directory that contains the .cert or .arm file

Highlight the 3 CA provided files (AddTrustExternalCARoot.crt , COMODORSAAddTrustCA.crt , COMODORSADomainValidationSecureServerCA.crt)and click Open.

 

Replaced the key.kdb and key.sth on IBM HTTP server and recycled IBM HTTP server.

Wow ?, there's no more SSL certificate error warning from Web browsers !!!

  评论这张
 
阅读(309)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017