Replacing an existing self-signed certificate

 

Occasionally, replace an existing or expired self-signed certificate with a new certificate. Certificates are referenced in the runtime configuration by the SSL Configuration object and the Dynamic SSL Configuration Selection object. You can replace a certificate with a new certificate alias reference or with a new signer certificate. The current certificate and the certificate replacement must exist in the same keystore before you can replace a certificate.

 

Overview

Complete the following steps in the console:

 

Procedure

1. Click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ].

2. Under Additional Properties, click Personal certificates.

3. Select a personal certificate. The alias list must include at least two certificates that reside in the keystore.

4. Click Replace.

5. Select a replacement certificate alias from the list.

6. You can delete one of the following types of certificates:

   • Select Delete old certificate to delete the existing certificate.

   • Select Delete old signers to delete the existing signer certificates.

7. Click Apply.

 

Results

Your results depend on what you selected:

• If you selected Delete old certificate, the new certificate alias replaces all of the references to the certificate alias in the configuration.

• If you selected Delete old signers, the new signer certificate replaces all of the occurrences of the old signer certificates.

• If the new certificate alias replaces the existing alias, the WebSphere Application Server runtime checks to make sure that:

  • All of the SSL Configurations objects reference the certificate

  • The Dynamic SSL Configuration Selections objects and the SSL Configuration group objects reference the certificate.

• If you selected Delete old signers, the existing signer certificates are replaced.

• If you selected Delete old certificate, the existing certificate are deleted.

 

What to do next

To replace a self-signed certificate by using the wsadmin tool, use the replaceCertificate command of the AdminTask object. For more information, see PersonalCertificateCommands command group for the AdminTask object.

---

Secure Sockets Layer configurations
Dynamic outbound selection of Secure Sockets Layer configurations
Keystore configurations

 

Related Reference

PersonalCertificateCommands command group for the AdminTask object