IBM HTTP Serv­er (7) and Verisign Inter­me­di­ate Cer­tifi­cates

I was fight­ing with the right way to add a recent Verisign cer­tifi­cate to a key­store for the IBM HTTP Serv­er (IHS). I have used the ikey­man util­i­ty on Solaris.

The prob­lem indi­ca­tor was the error mes­sage “SSL0208E: SSL Hand­shake Failed, Cer­tifi­cate val­i­da­tion error” in the SSL log of IHS.

The IBM web­sites where not real­ly help­ful to track down the prob­lem (the miss­ing stuff). The Verisign instruc­tions did not lead to a work­ing solu­tion either.

What was done before: the Verisign Inter­me­di­ate Cer­tifi­cates where import­ed as “Sign­er Cer­tifi­cates”, and the cer­tifi­cate for the web­serv­er was import­ed with­in “Per­son­al Cer­tifi­cates”. With­out the sign­er cer­tifi­cates the per­son­al cer­tifi­cate would not import due to an inter­me­di­ate cer­tifi­cat­ed miss­ing (no valid trust-chain).

What I did to resolve the prob­lem:

  •  I removed all Verisign cer­tifi­cates.
  •  I added the Verisign Root Cer­tifi­cate and the Verisign Inter­me­di­ate Cer­tifi­cate A as a sign­er cer­tifi­cate (use the “Add” but­ton). I also tried to add the Verisign Inter­me­di­ate Cer­tifi­cate B, but it com­plained that some part of it was already there as part of the Inter­me­di­ate Cer­tifi­cate A. I skipped this part.
  •  Then I con­vert­ed the serv­er cer­tifi­cate and key to a PKS12 file via “openssl pkcs12 ‑export ‑in server-cert.arm ‑out cert-for-ihs.p12 ‑inkey server-key.arm ‑name name_for_cert_in_ihs”.
  • After that I import­ed the cert-for-ihs.p12 as a “Per­son­al Cer­tifi­cate”. The import dia­log offers 3 items to import. I select­ed the “name_for_cert_in_ihs” and the one con­tain­ing “cn=verisign class 3 pub­lic pri­ma­ry cer­ti­fi­ca­tion author­i­ty – g5” (when I select­ed the 3rd one too, it com­plained that a part of it was already import­ed with a dif­fer­ent name).

With this mod­i­fied key­store in place, I just had to select the cer­tifi­cate via “SSLServerCert name_for_cert_in_ihs” in the IHS con­fig and the prob­lem was fixed.

Send to Kin­dle