Set certificate authority client objects using the wsadmin tool
Use this topic to create a certificate authority (CA) client object. The client object contains all of the configuration information necessary to connect to the third-party CA server. A CA client must exist in the configuration before we can issue a request to the CA to create personal certificates with the requestCACertificate command.
A CA client object contains information that the system uses to connect to a certificate authority. Implement the com.ibm.ws.WSPKIClient interface to connect to the certificate authority and provide the com.ibm.ws.WSPKIClient class when creating the CA client object.
If a CA client does not exist in the configuration, use the steps in this topic to create a new CA client.
- Launch wsadmin using Jython.
- Determine if a CA client exists in the configuration.
Use the following listCAClients command to list all certificate authority clients in the configuration:print AdminTask.listCAClients()
- If no CA clients exist, then create a new CA client.
Use the createCAClient command to create a new CA client object. The appserver connects to a CA server through the WSPKIClient() implementation, which handles all connections and communications with the CA server. Specify the following configuration information for a new CA client object:
Table 1. Required parameter
Parameter Description Data Type -CAClientName Specify a name to uniquely identify the CA client object. String
We can specify additional configuration information using the following parameters:
Table 2. Additional parameters
Parameter Description Data Type -scopeName Specify the management scope of the CA client. For a dmgr profile, the system uses the cell scope as the default value. For an appserver profile, the system uses the node scope as the default value. String -pkiClientImplClass Specify the class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. The default value is com.ibm.wsspi.ssl.WSPKIClient. String -host Specify the host name in the system where the CA resides. String -port Specify the port on the server where the CA listens. String -userName Specify the user name to use to authenticate to the CA. String -password Specify the password for the user name that authenticates to the CA. String -frequencyCheck Specify how often, in minutes, the system checks with the CA to determine if a certificate has been created. String -retryCheck Specify the number of times to check with the CA to determine if a certificate has been created. String -customProperties comma separated list of attribute and value (attribute=value) custom property pairs to add to the CA client object. String
Use the following example command to create a new CA client object:AdminTask.createCAClient('[-caClientName clientObj01 -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient -host machine011 -port 9022 -userName admin -password pw4admin]')
The command returns the object name of the CA client that has been created.
- Save the configuration changes...AdminConfig.save()
What to do next
If the CA client object was successfully created, then we can configure the appserver to use a personal certificate created by an external CA.
Set a certificate authority certificate as the default certificate using wsadmin