I'm running 2 IBM HTTP Servers (7.0) on different machines, and I'm updating the SSL certificates for both. The certificate is a wildcard certificate.
I have successfully updated the certificate for the server that I generated the update request from, and all seems well there.
My problem occurs when trying to re-use the certificate on my second server. I have read several sites that state that I need to export the certificate from the first server (using iKeyMan), then copy it to the second server. Then create a new KDB file, and import the certificate. I've done this, and when looking at the contents of the new KDB file it seems complete (it has all the certificates required - root, intermediate, etc).
However when I try to use the files (the KDB and the corresponding STH file) in my server configuration, it fails - the server starts but my certificate is not installed.
Anyone know what I'm doing incorrectly?
答案 0 :(得分:2)
错误消息 “SSL握手失败,无法在错误日志文件中报告的密钥文件” 中找到指定的标签,IBM HTTP Server无法查找存储在KDB密钥数据库文件中的个人证书,这是因为SSL配置:
For example:
Listen 0.0.0.0:443
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<VirtualHost 0.0.0.0:443>
ServerName fullyqualifyname or site name.
SSLEnable
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "c:/program files/ibm http server/key.kdb"
这是最常用的SSL VirtualHost Stanza配置。 IBM HTTP Server旨在从标记为默认的个人证书部分中搜索存储在KDB密钥数据库文件中的个人证书。
使用ikeyman实用程序打开KDB密钥数据库文件,在个人证书部分内,双击证书标签名称或单击查看/编辑按钮以显示密钥信息证书上下文并查看左下角有一个复选框用于 “将证书设置为默认值” 。选中复选标记并单击“确定”后,证书标签名称将更改:
From:
*.ibm.com
To:
* *.ibm.com
停止并启动IBM HTTP Server以识别在KDB密钥数据库文件中所做的更改。重试向IBM HTTP Server发送https请求。现在,Web服务器搜索在SSL握手期间查找并将标记为默认的个人证书呈现给客户端浏览器。 如果IBM HTTP Server KDB密钥文件中只存储了一个个人证书,建议使用此方法。使用带有证书标签名称的SSLServerCert指令,它是一个有效的选项。但是,当您在密钥数据库文件中存储多个证书以及多个SSL虚拟主机节配置时,它非常有用。查看以下IBM Technote,单击here以获取有关如何在IBM HTTP Server中配置SSL的指导。
答案 1 :(得分:0)