iTP Secure WebServer System Administrators Guide (Version 7.5+)
a. Using the following command, import the private keys:
bin/keyadmin [-verbose] -importpriv <file> -dn <dn> -keydb <dbfile>
For more information about importing a private key, see “Importing a Private Key into
iTP Secure WebServer's Key Database File” (page 68).
b. Using the following command, add the corresponding certificate:
bin/keyadmin [-verbose] -addcert <file> [-root] -keydb <dbfile>
For more information about adding a certificate, see “Adding a Certificate to the Key
Database File” (page 59).
4. Repeat the steps 1 through 3 for all other key database migrations.
5. Configure iTP Secure WebServer with the newly created key database and start the iTP Secure
WebServer environment.
For more information about how to configure the iTP Secure WebServer environment, see
“Configuring the iTP Secure WebServer” (page 94).
Configuring Trusted Client Root Certificate Database
Starting from iTP Secure WebServer Release 7.5, you can use the ClientCADatabase directive
to specify the name of the database that contains the trusted client root certificates.
Perform the following steps if multiple client certificate chains are added manually to the original
key database (configured using the KeyDatabase directive), and there are less number of server
certificate chains:
1. Export the server certificate chain from the original key database.
2. Create a new key database.
3. Import the server certificate chain into the newly created key database.
4. Delete the server certificate chain from the original key database.
5. Configure the iTP Secure WebServer and set the following:
• The newly created key database as the path for KeyDatabase directive.
• The original key database as the path for ClientCADatabase directive.
Perform the following steps if there are multiple server certificate chains and less number of client
certificate chains:
1. Create a new key database using the keyadmin utility with –initdefaults option. This
creates a certificate database file with all the default root certificates.
2. Add the other client root certificates that are manually added to the original key database to
the new key database.
3. Configure ClientCADatabase directive with the newly created key database.
4. Continue to use the original key database with the KeyDatabase directive. Do not delete
the client root certificates. The iTP Secure WebServer automatically selects only server certificate
chain and ignores the other client root certificates from the original key database.
NOTE: HP recommends that you backup the key database file before performing any of these
procedures. You can use this backup to fallback to the older version of iTP Secure WebServer.
Without backing up, you must merge the client and server certificate chains into the same key
database file before falling back to the older iTP Secure WebServer versions.
Configuring Support For Certificates with Non-English Characters
iTP Secure WebServer supports security certificates containing non-English characters in the DN.
These certificates can be used with the keyadmin utility just like any other security certificate,
without any extra options. However, you must configure the OSS terminal to support these characters
Configuring Trusted Client Root Certificate Database 79