Previously when creating keystores for plugin signing I’ve used a lot of dark magic, crying at the moon and a custom tool I wrote called KeystoreUtil to convert between different formats. The other day I was doing a consulting gig on plugin signing and came up with an easier way just using iKeyman and the Java tooling. I created a presentation with the various commands and screenshots and put it on Slideshare.
Hope it will help someone.
When you deploy Lotus Connections you find out that the login has to be done using SSL and hence you need a SSL certificate. When Lotus Connections is installed a self-signed certificate is generated but you’ll probably want to use a “real” certificate whether this be one signed by a public CA or one signed by a corporate CA. Doing this is quite simple if you only swap out the IBM HTTP Server certificate as this only requires change to httpd.conf and using the ikeyman application.
Although the ikeyman application looks like something from another century it works and does its job. To launch it go to c:websphereappserverprofilesappserver1bin and invoke ikeyman.bat (substitute the path as appropriate). Once this is done follow the documentation to create a new keystore database (KDB format) and create a stash file. Then generate a new key pair and submit the keys for certification at your CA (again follow the documentation). The stash file is used by the web server to open the otherwise encrypted keystore without a password.
When you receive the reply please bear in mind that the certifying certificate must be in the keystore before accepting the reply. For most CA’s this will require you to import a certificate before proceeding. This goes for Equifax as well as Verisign. The easiest way to find these is to surf to your CA and search for “intermediate”.
Once this is done you can import the certificate reply, update httpd.conf, restart IHS and you’re laughing…