Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure communications > Create a self-signed certificate
Create new SSL certificates to replace existing ones in a cell
To replace default SSL certificates in an entire cell, create a new self-signed root certificate in the root keystore, DmgrDefaultRootStore, and replace the old root certificate with the new one.
For the default certificate of the cell in CellDefaultKeyStore and the default certificate of each node in NodeDefaultKeyStore, create a new chained certificate and replace the old default certificate with the new certificate.
The root certificate is created by default on WAS, and has a subjectDN in the form cn= <hostname>, ou=Root Certificate, ou= <cell name>, ou= <node name>, o=ibm, c=us. When you create a new root certificate you can also customize the subject DN.
To create a new SSL root certificate in the admin console:
Procedure
- Click Security > SSL certificate and key management > Key stores and certificates.
- Under the Keystore usages pull-down, select Root certificate keystore.
- Select the DmgrDefaultRootStore in the keystore collection.
- Under Additional Properties, select Personal certificates.
- Under the Create pull-down, select Self-signed Certificate.
- Enter a certificate and alias name. This can be any name you choose as long as the alias does not already exist. It is just a label to identify the certificate in the keystore.
- Enter a common name. This is typically the hostname the node is running on.
- Optional: Fill in any of the other Subject DN related fields. If you want the subject DN to look like the default subjectDN on WAS, then enter:
- IBM in the Organization field.
- <cell name>,ou= <node name> in the Organization unit field.
- Under the Country or region pull-down, select US.
- We can use the defaults for Root certificate used to sign the certificate, Key Size, and Validity Period or supply your own values.
- Click Apply.
We can also create a self-signed certificate using the createSelfSignedCertificate command. Read PersonalCertificateCommands command group for more information.
We must now replace the old root certificate with the one you just created. The replace certificate option not only replaces the old default certificate with a new one but also replaces any occurrences of the signer of the old certificate with the signer of the new certificate. The configuration is also checked for references to the alias name of the old certificate and replaces it with the alias name of the new certificate.
To replace the old certificate with the new one, complete the remaining steps.
- Click Security > SSL certificate and key management > Key stores and certificates.
- Select the CellDefaultKeyStore of the node to change.
- Under Additional Properties, select Personal certificates.
- Select the default certificate of the node, usually called default.
- Click Replace.
- Select the certificate alias name for the new certificate you just created from the Replace with pull-down.
- Click Delete old Certificate after replacement.
- Click Apply.
What to do next
We can also replace default certificates in a node. Read Creating a new SSL certificate to replace an existing one in a node for more information
Create a new SSL certificate to replace an existing one in a node
Related
PersonalCertificateCommands command group