Add certificates to the WebSphere trust store 

Import a self-signed IBM HTTP Server certificate into the default trust store of IBM WAS.

Before you begin

Before you complete this procedure, ensure that IBM HTTP Server is configured to support SSL. For more information, see the Configure IBM HTTP Server for SSL topic.
This topic describes the procedure to configure certificates in a deployment with one webserver.

About this task

To establish trusted server to server communication for IBM Connections, import signer certificates from IBM HTTP Server into the WAS default trust store.

There are different types of certificates that you can use. This procedure describes how to import a self-signed certificate. You can also import a certificate that you purchased from a third-party Certificate Authority. To help decide a key file strategy for your environment, go the IBM HTTP Server information center.

To import a public certificate from IBM HTTP Server to the default trust store in IBM WAS...


  1. Log into the IBM WAS admin console and select Security -> SSL Certificate and key management -> Key stores and certificates.

  2. Click CellDefaultTrustStore.

  3. Click Signer Certificates.

  4. Click Retrieve from port.

  5. Enter the Host name, SSL Port, and Alias of the webserver.

  6. Click Retrieve Signer Information and then click OK. The root certificate is added to the list of signer certificates.


If your configuration changes aren't successful, ensure that you have applied the instructions to configure a default personal certificate.

What to do next

Verify that users can create a private community and add other widgets, such as Activities, Blogs, Dogear, and so on, to it. Ensure that there are no errors when these widgets are added. If problems are reported, consult the Communities SystemOut.log file.

The proxy-config.tpl file allows a proxy to work with self-signed certificates. This is true for an out-of-the-box deployment but for improved security you should set the value of the unsigned_ssl_certificate_support property to false when your deployment is ready for production. Ensure that you are ready to renew your certificate before it expires. WAS provides a utility for monitoring certificates. For more information, go to the Configure certificate expiration monitoring topic in the WAS information center.

Parent topic

Configure IBM HTTP Server
Previous topic: Configure IBM HTTP Server for SSL
Next topic: Determining which files to compress

Related tasks

Configure IBM HTTP Server for SSL

October 5, 2011 6:33:53 AM


Oct 5, 2011 6:33:53 AM Added note about monitoring certificate expiration. 1 Submitted by Matthew Milza on Jun 28, 2011 1:42:21 PM

Re: Adding certificates to the WebSphere trust store: ic301

correction of above comment you need to extract the WAS root certificate and add it to the HTTP Server plugin key database.

Submitted by Matthew Milza on Jun 28, 2011 1:40:42 PM

Re: Adding certificates to the WebSphere trust store: ic301

Please update the documentation with a step to exchange signer certificates between the HTTP server and the WAS Server. Also need to copy the pluginkey.kdb from the WAS DMGR01 profile to the HTTP Server webserver1 config directory. Then restart HTTP server and it works well. This is documented in technote