Unable to Import Let's Encrypt Cert in to IBM ikeyman GUI for Managing IBM .kdb

I was trying to implement Let’s Encrypt certificate on IBM Http Server of WAS 6.0.1 using acme-tiny client.
I generated the personal certificate request(.arm) using SHA1 on ikeyman and generated the signed certificate using the SHA256 algorithm(signed.crt)
Then I added the DST Root Certificate(root.der) and Lets Encrypt intermediary certificate(chain.der) signer certificate.
I renamed signed.crt to signed.cer and then received it in Personal certificate in ikeyman but it is giving me error:“An error occured while receiving the certificate from the given file”

It will be very helpful if someone can suggest what might be the issue as I was able to generate the signed certificate but not able to receive it its key database using ikeyman of ibm http server

you are going to have to be much clearer on the steps you took.

can u tell abt what clearer steps u r talking
also do let me know whether certificate request reated using sha1 does not support signer certficate generated using sha256 algo.
becoz ikeyman of WAS 6.0 can generate csr using sha1 algo only

when you write a help request you are usually asked the following questions

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

I believe in 50/50 effort and your 50% is explain your thinking. For example:

I read somewhere (with a link hopefully to official documentation) that WAS need to generate it's own CSR requests as it cannot import private keys for SSL certificates

With this in mind I ran the WAS Commands to generate a CSR.
I also ran the following validation on the CSR to make sure it's correct.

I then used that CSR with Client x and the following

I sucesfully obtained/ did not obtain a certificate

etc
etc

Andrei

can u tell abt what clearer steps u r talking
also do let me know whether certificate request reated using sha1 does not support signer certficate generated using sha256 algo.
becoz ikeyman of WAS 6.0 can generate csr using sha1 algo only

if this is the case then you are out of luck as SHA1 certificates are not allowed to be issued by public CAs.

You have 3 options

  • see if there is a patch for generating SHA256 Signed CSRs
  • look at running your own internal CA (if the WAS does not need a publicly trusted certificate).
  • I think some CAs can still issue SHA1 certs under special circumstances by Let's Encrypt is not one of them

I generated the personal certificate request(.arm) using ikeyman
then i generated the signed.crt using acme-tiny client
then i downloaded the dst root certificate and lets encrypt chain certificate
then in the ikeyman i first added root certificate then chain certificate
but when i try to add personal certificate, i got the error as mentioned initially

If you have successfully issued a certificate with Let’s Encrypt but your issues are with importing I suggest you contact IBM to assist you further or look on their forums as they may have more insights in to this error

https://www.ibm.com/support/knowledgecenter/en/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/ds_ag_srv_adm_receive_cert_key_db.html#t_adg_srv_adm_receive_cert_key_db

The documentation above does not specify a format for the certificate so it may be a formatting issue as some tools require DER certificates instead of PEM Certitifcates.

Unfortunately supporting every single piece of software that support TLS encryption is impossible for anyone so if your challenges are not with getting a certificate but rather importing in to a specific tool I suggest you talk to the people who make the tools

Andrei

I also highly suspect that ikeyman is just a GUI for Java Key Stores.

I wrote an article on how to interact with these (and another tool you can use to check them) here: Tutorial - Java KeyStores (JKS) With Let's Encrypt

Hope this helps

Andrei

Thnx for your help I will also try to get help from IBM Http server forum
As we have three days holiday in India,I can test test this JKS keystore only on coming Tuesday

1 Like

also have a look at page 41 of this document http://www-01.ibm.com/support/docview.wss?uid=swg27036662&aid=1

I believe it’s a formatting issue that you are experiencing

http://www-01.ibm.com/support/docview.wss?uid=swg21283831

Andrei

Following commands I have executed to generated the signed certificate

  1. openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /etc/ssl/letsencrypt/account.key
  2. python acme_tiny.py --account-key /etc/ssl/letsencrypt/account.key --csr /etc/ssl/letsencrypt/xxxxxx.xxx.in/domain.arm --acme-dir /var/www/challenges > /etc/ssl/letsencrypt/xxxxxx.xxx.in/signed.crt
  3. wget --no-check-certificate ‘https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
  4. mv lets-encrypt-x3-cross-signed.pem /etc/ssl/letsencrypt/chain.pem
  5. Then converted online root.pem to root.der and chain.pem to chain.der
  6. Renamed signed.crt to signed.cer
  7. On receiving signed.cer in ikeyman getting error mentioned initially

can anyone suggest wht might me the issue in receiving certificate in ikeyman after above commands

you need to read read read :smiley:

In the whole process u mentioned above what abt personal certificate request becoz when we will be adding the certificate it will be giving error :the certificate request must exist in the key database

Whether Let’s encrypt generated ssl certificates can be imported into ikeyman where IBM Http Server java version is1.4.2
Because when I ran the command:

keytool -list -v -keystore /tmp/your.p12 -storetype pkcs12 -storepass password
in my http server java it is giving error:
keytool error (likely untranslated): java.io.IOException: no such
algorithm: 1.2.840.113549.1.1.11 for provider IBMJCE

You probably need to convert signed.crt to DER too. Renaming it is not sufficient.

You can use an online tool, since there is nothing private in your certificate (they are all published to crt.sh).

Or you can use the openssl command if available:

openssl x509 -in signed.pem -outform der -out signed.cer

this is something you need to discuss with IBM as it’s their tool.

The Lets Encrypt certificate is a valid format so it comes down to how IBM ikeyman wants to get the certificate.

I have tried to assist with documentation they have provided however you should go talk to IBM now :smiley:

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.