This guide gives you step by step instructions on how to install an SSL certificate on IBM HTTP Server (IHS). IHS stores certificates in a CMS key database file (a .kdb file), which you manage either with the IKEYMAN graphical tool or the gskcapicmd command line utility.
We also recorded a video that walks you through the entire process. You can watch the video, read the instructions, or do both. You can watch the video below.
Generate a CSR code on IBM HTTP Server
The Certificate Signing Request (CSR) is a block of encoded text that contains your contact information. To apply for an SSL certificate, you create your CSR code and send it to your Certificate Authority (CA) for validation. Along with the CSR you also generate your private key, an essential element of your SSL certificate. You will need the private key, which on IHS lives inside the key database, during installation.
You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on IBM HTTP Server.
You can open your CSR file with any text editor, including Notepad, and copy and paste its contents during the SSL order process with your vendor.
Install an SSL certificate on IBM HTTP Server
After you pass validation and receive your SSL files by email, proceed to the installation. On IBM HTTP Server the process has two parts: first you import the certificates into the key database, then you point httpd.conf at that key database and restart the server. You can complete the import with the IKEYMAN graphical tool or with the gskcapicmd command line utility. Both methods are covered below.
Step 1. Prepare your SSL certificate files
From the ZIP archive your CA sent you, extract the following files:
- The root certificate
- The intermediate certificate
- The primary certificate (for example your_domain.crt)
You also need the key database file (the .kdb file) that you created when you generated the CSR, along with its password. The signed certificate can only be received into the same key database that produced the certificate request.
Step 2. Install the root and intermediate certificates (IKEYMAN)
The signer certificates (root and intermediate) build the trust chain for your primary certificate. Add them first:
- Start IKEYMAN. On UNIX, run
ikeymanfrom the command prompt. On Windows, launch the Key Management Utility from the IBM HTTP Server program folder. - In the main window, select Key Database File, then Open.
- Select your key database (the .kdb file) and click OK.
- Enter your password and click OK.
- In the drop-down menu, select Signer Certificates, then click Add.
- Browse to the certificate you want to add, then click OK. Add the root certificate first, then the intermediate one. Give each a clear label so you can identify it later.
Step 3. Install the primary SSL certificate (IKEYMAN)
Now receive your signed primary certificate. Receiving it associates the signed certificate from your CA with the private key already in the key database:
- In IKEYMAN, go to the drop-down menu and select Personal Certificates, then click Receive.
- Select your primary SSL certificate (for example your_domain.crt) and click OK.
Your certificates are now inside the key database. Continue to Step 5 to make IBM HTTP Server actually serve them.
Step 4 (alternative). Import certificates with the gskcapicmd CLI
If you prefer the command line, or you are on a server without a graphical environment, use gskcapicmd from the bin directory of your IHS installation instead of IKEYMAN. Add the root and intermediate certificates as signer certificates with the -cert -add action:
gskcapicmd -cert -add -db /opt/IBM/HTTPServer/key.kdb -pw password -file root.cer -label "Root CA"
gskcapicmd -cert -add -db /opt/IBM/HTTPServer/key.kdb -pw password -file intermediate.cer -label "Intermediate CA"
Then receive your signed primary certificate into the same key database with the -cert -receive action:
gskcapicmd -cert -receive -db /opt/IBM/HTTPServer/key.kdb -pw password -file your_domain.crt
Adjust the key database path, password, and file names to match your environment. On a 64-bit GSKit installation the binary may be named gsk8capicmd_64. You can confirm the certificates were imported with:
gskcapicmd -cert -list -db /opt/IBM/HTTPServer/key.kdb -pw password
Step 5. Configure httpd.conf and restart IHS
Importing the certificate is not enough on its own: you also have to tell IBM HTTP Server to use the key database and listen on the HTTPS port. Edit httpd.conf (in the conf directory of your IHS installation) and make sure the SSL module is loaded, then configure a virtual host for port 443:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
ServerName www.yourdomain.com
SSLEnable
SSLServerCert "your-certificate-label"
</VirtualHost>
KeyFile "/opt/IBM/HTTPServer/key.kdb"
SSLDisable
- KeyFile: the full path to your key database (.kdb) file. The matching stash file (.sth) must sit next to it so IHS can read the database without prompting for a password.
- SSLEnable: turns on SSL for that virtual host.
- SSLServerCert: the label of the personal certificate to serve. You only need this if the certificate is not marked as the default in the key database.
Save the file and restart IBM HTTP Server with apachectl from the IHS bin directory. The restart action checks the configuration before applying it, so a typo will not silently take the site down:
/opt/IBM/HTTPServer/bin/apachectl restart
Congratulations, your SSL certificate is now installed and served on your IBM HTTP Server.
Install an SSL certificate on IBM Domino server
To install an SSL certificate on the IBM Domino server, you combine all your SSL certificate files into the same Key Ring file that you used during CSR generation.
Step 1. Prepare your SSL certificate files
Make sure you have the following files:
- The root certificate
- The intermediate certificate
- The primary certificate
Step 2. Install the certificates
- In your Domino Admin panel, go to the system database and locate the Domino Server Certificate Administration (CERTSRV.NSF) file.
- Click Install Trusted Root Certificate into Key Ring, and enter the file name of the Key Ring that you created during CSR generation.
- Select one of the three available options to upload your root certificate. The easiest way is to browse to the file location.
- Click Merge Certificate into Key Ring.
- Repeat the previous three steps for your intermediate certificate.
- Click Install Certificate into Key Ring and enter your Key Ring file name (the one you created while generating the CSR).
- Specify the path to your primary certificate and click Merge Certificate into Key Ring.
Congratulations, you have installed an SSL certificate on your IBM Domino web server.
Test your SSL installation
After you install an SSL certificate on IBM HTTP Server, run a diagnostic test on your SSL configuration to confirm that no SSL errors affect your site. With our SSL Checker you can get an instant scan and report on your SSL certificate, including the chain order and expiry dates.
Frequently Asked Questions
IBM HTTP Server stores certificates and private keys in a CMS key database file with a .kdb extension, not in separate PEM files like standard Apache. You manage that key database with the IKEYMAN graphical tool or the gskcapicmd command line utility, and you point IHS at it with the KeyFile directive in httpd.conf.
Both tools manage the same .kdb key database. IKEYMAN is a graphical (Java) interface, useful on a desktop or a server with a display. The gskcapicmd utility does the same work from the command line, which is the better choice for headless servers and for scripting. You can use either one to add the signer certificates and receive your primary certificate.
Importing the certificate into the key database is only half the job. IBM HTTP Server will not serve it until you point the KeyFile directive at the .kdb file, add SSLEnable (and SSLServerCert if the certificate is not the default) to a port 443 virtual host, and restart IHS. Also confirm the server is listening on port 443 and that a stash (.sth) file sits next to the key database.
Use the -cert -receive action and point it at the same key database that generated the CSR. For example:gskcapicmd -cert -receive -db /opt/IBM/HTTPServer/key.kdb -pw password -file your_domain.crt
Add the root and intermediate certificates first with -cert -add, otherwise the chain will be incomplete.
Run apachectl restart from the bin directory of your IHS installation, for example /opt/IBM/HTTPServer/bin/apachectl restart. This is the supported way to restart IHS, and it validates the configuration before applying it. Do not call the httpd binary directly, because it will not find the required GSKit libraries.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


