+

Search Tips   |   Advanced Search

Update the keystore and Liberty profile configuration to use a certificate chain

We must ensure that the server sends the whole certificate chain to client devices on an SSL handshake.

For the client to validate the certificate path, it must have access to the full certificate chain. To ensure that the client has access to the full certificate chain (including intermediate certificates), ensure that all the certificates in the chain are in the server-side keystore file.

Assuming we have a root CA certificate, intermediate certificates, and a server certificate, the whole chain must be sent on the HTTPS connection. These certificates must be concatenated in one file, by concatenating in the following order: server certificate, intermediate CA certificates (if any exist, and if so, in the order in which they were signed), and finally the root CA.

The following example assumes we have a server certificate (SERVER_IDENTITY_CERT_NAME), one intermediate CA certificate (INTERMEDIATE_CA_CERT_NAME), and a root CA (ROOT_CA_CERT_NAME).

  1. Open a terminal and navigate to a temporary working directory.

  2. Concatenate the certificates to form the certificate chain.

    1. Concatenate the intermediate and the root CA certificates.

        cat INTERMEDIATE_CA_CERT_NAME ROOT_CA_CERT_NAME > INTERMEDIATE_CA_CHAIN_CERT_NAME

    2. Add the server certificate to the chain.

        cat .SERVER_IDENTITY_CERT_NAME SIGNING_CA_CHAIN_CERT_NAME > server_chain.crt

  3. Export the private key and certificate chain into a .p12 keystore.

      openssl pkcs12 -export -in server_chain.crt -inkey server/server_key.pem -out server/server.p12 -passout pass:passServerP12 -passin pass:passServer

  4. Update the Liberty profile server.xml file.

    1. Enable the SSL feature. 
      <featureManager>
...
  <feature>ssl-1.0</feature>
...
</featureManager>

    2. Create an SSL configuration. 
      <ssl id="mySSLSettings" keyStoreRef="myKeyStore" />
  <keyStore id="myKeyStore"
            location="server/server.p12"
            type="PKCS12"
            password="passServer12" />

    3. Configure the HTTP endpoint to use this SSL configuration or set the configuration as the default.


What to do next

See Enable SSL communication for the Liberty profile.


Parent topic: Configure SSL using untrusted certificates