Certificate Woes

Certificate Woes

9 December 2019

Kilian Niemegeerts

Hey, kids, it’s that time of year again … That’s right! Renewal of the certificate! 🙌🏼

Let me tell you a story from last week that started great but almost ended up in horror. A week ago, I received an e-mail from our monitoring system that one of our certificates was about to expire. Therefore, I created a new KeyStore (for easy exchange), generated a Certificate Signing Request (CSR) for a new certificate and sent it to the Certificate Authority (CA). I had my brand-new certificate in no time, but things turned out quite differently. Suddenly something crashed which made me put out the fire and forget about the certificate.

A few days later I got a reminder that the certificate was about to expire, and I continued where I left off. I must have been in a scattered mood and somehow lost the KeyStore I used to generate the CSR. How could I complete the procedure for obtaining my new certificate without all the pieces of the puzzle?

This is how you usually complete the process:

1. Create a KeyStore

2. Create a CSR in the KeyStore

3. Send CSR to CA

4. Receive certificate from CA

5. Import certificate in the previously mentioned KeyStore

Or a more practical way of putting it:


# Create a KeyStore and CSR

$ /opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -certreq -create -db “flowfactor.kdb” -pw <pwd> -type kdb -label “flowfactor_wildcard” -dn “CN=webserver, O=Flowfactor, OU=IT, L=Kontich, ST=Antwerpen, C=BE” -san_dnsname “*.flowfactor.be, *.flowfactor.eu” -file “certarm.arm” -size 2048 -sigalg sha256

# Send CSR to CA & Receive certificate from CA (internal or external)

#Import certificate in the previously mentioned KeyStore

$/opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -cert -receive -file “flowfactor_certificate.crt” -db “flowfactor.kdb” -pw <pwd> -type kdb -default_cert enable



Since I was missing the KeyStore, there was no way to complete the puzzle properly. The KeyStore contains the original certificate request and when the issued certificate is “received”, it’s possible to complete the puzzle. I believed that the only way to solve the problem was to start the process all over again.

However, after searching the council of a co-worker I got to see another way. It ignores the need to keep the original CSR and imports the certificate without it. Now, this is far from ideal and the flow above is not only better but also easier. Still, in my situation, I had little choice.


1. Get the private key (should be somewhere readily but safe on the filesystem)

2. Combine the private key and the certificate

3. Import the newly generated file in the KeyStore

4. Import the CA chain

5. For good measure, check the certificate


# Combine the private key and certificate

$ openssl pkcs12 -export -out flowfactor.p12 -in flowfactor_certificate.crt -inkey private.key -passout pass:none

# import the newly generated file in the KeyStore

$ /opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -cert -import -file flowfactor.p12 -pw none -label “CN=*.flowfactor.be” -new_label flowfactor_wildcard -target flowfactor.kdb -target_type kdb

# Import the CA chain

$ /opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -cert -import -file IntermediateCA.pem -target flowfactor.kdb

/opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -cert -import -file RootCA.pem -target flowfactor.kdb

# Validation Validation VALIDATION

$ /opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -cert -validate -label flowfactor_wildcard -db flowfactor.kdb -stashed


All’s well that ends well! Everything continued to work, and I already added “Replace the 2020 certificates in the right way” to my New Year’s resolution list. 💥

Want to know more about our tips & tricks, the team and our adventures? Then make sure to read our other blog posts!

No Comments

Sorry, the comment form is closed at this time.