Set a certificate authority certificate as the default certificate using wsadmin


Use this topic to make a request to an external certificate authority (CA) to create a personal certificate. After the CA returns the certificate and the certificate is saved in the keystore, then we can use it as the server default personal certificate.

You must configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to the third-party CA server.

After profile creation, the system is assigned a default chained personal certificate. Use the following steps to modify the appserver to use a default personal certificate created by an external CA.

 

  1. Launch wsadmin using Jython.

  2. Verify that a certificate authority client exists in the configuration. Use the listCAClients command to query the environment for all existing certificate authority clients and configuration attributes, or the getCAClient command to return the configuration attributes for a specific certificate authority client. If the listCAClients or getCAClient commands do not return any attributes, then create a certificate authority client object before we can complete the remaining steps.

    • List all certificate authority client objects in the configuration.Use the listCAClients command to list all certificate authority clients in the configuration. If we do not provide a value for the -scopeName parameter, then the command queries the cell if we use a deployment manager profile or queries the node if we use an appserver profile. Use the -all parameter to query the environment without using a specific scope...

      print AdminTask.listCAClients('-all true')

      The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:

      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1) ] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [password ] [host ] ]' '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1) ] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [password ] [host ] ]'

    • List the configuration attributes for a specific certificate authority client.Use the getCAClient command to view the list of attributes for a specific certificate authority client, as the following example demonstrates:

      print AdminTask.getCAClient('-caClientName myCAClient')

      The command returns an attribute list that contains the attribute and value pairs for the specific certificate authority client, as the following example demonstrates:

      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [password ] [host ] ]'

  3. If a certificate authority client does not exist in the environment, then configure a CA client object.

  4. View the current default personal certificate. Use the following listPersonalCertificates command to display the current default personal certificate to replace:

    AdminTask.listPersonalCertificates('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):myCell01]')

  5. Request a certificate from a certificate authority.

    Before the current default personal certificate can be replaced, request a certificate from a certificate authority. We can create a new certificate request or use the createCertificateRequest command to use a predefined certificate request. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, then the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE. Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority:


    Table 1. Required parameters

    Parameter Description Data Type
    -certificateAlias Alias of the certificate. You can specify a predefined certificate request. String
    -keyStoreName Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String
    -caClientName Name of the CA client that was used to create the CA certificate. String
    -revocationPassword to use to revoke the certificate at a later date. String

    We can also use the following parameters to specify additional certificate request options. If we do not specify an optional parameter, then the command uses the default value.


    Table 2. Optional parameters

    Parameter Description Data Type
    -keyStoreScope Management scope of the keystore. For a dmgr profile, the default value is the cell scope. For an appserver profile, the default value is the node scope. String
    -caClientScope Management scope of the CA client. For a dmgr profile, the default value is the cell scope. For an appserver profile, the default value is the node scope. String
    -certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For Web sites, the common name is frequently the DNS host name where the server resides. String
    -certificateSize Size of the certificate key. The valid values are 512, 1024, and 2048. The default value is 1024. String
    -certificateOrganization Organization portion of the distinguished name. String
    -certificateOrganizationalUnit Organizational unit portion of the distinguished name. String
    -certificateLocality Locality portion of the distinguished name. String
    -certificateState State portion of the distinguished name. String
    -certificateZip Specifies the zip code portion of the distinguished name. String
    -certificateCountry Country portion of the distinguished name. String

    Use the following example command syntax to request a certificate from a certificate authority:

    AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -caClientName myCAClient -revocationPassword revokeCApw -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')

    The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request...

    AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')

  6. Replace the server default personal certificate. Use the following replaceCertificate command example to replace the existing default personal certificate with the newly created CA personal certificate:

    AdminTask.replaceCertificate('-keyStoreName CellDefaultKeyStore -certificateAlias defaultPersonalCertificate -replacementCertificateAlias newCertificate')

  7. Save the configuration changes...

    AdminConfig.save()

 

Results

The default personal certificate for the server is a certificate that is created by an external CA.

 

What to do next

If the CA client object was successfully created, then we can configure the appserver to use a personal certificate created by an external CA.

 

Related tasks


Set certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin

 

Related


CAClientCommands
PersonalCertificateCommands