Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin
Revoking certificate authority personal certificates using wsadmin.sh
We can revoke CA certificates from a certificate authority (CA). Revoke personal certificates that are no longer being used in the configuration. Use the requestCACertificate command to create a personal certificate with the requestCACertificate task before you can request that the certificate authority revoke the certificate. Certificates created with the requestCACertificate command have an associated reference object in the configuration that you can use to submit the certificate revocation request to the certificate authority. This topic uses the revokeCACertificate command to submit a request to revoke a certificate on the certificate authority. You can only revoke a certificate created with the requestCACertificate command. We must specify the revocation password that was provided when the certificate was created. Use the same password to revoke the certificate on the certificate authority.
Procedure
- Launch wsadmin.sh using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Determine the CA personal certificate to revoke.
Use the listPersonalCertificates command to view a list of all personal certificates and associated attributes for a specific keystore, as the following example demonstrates:
AdminTask.listPersonalCertificates('-keyStoreName CellDefaultKeyStore')The command returns an attribute list for each personal certificate, including CA personal certificates. CA personal certificates only return the status attribute. We can revoke each CA personal certificates that returns a COMPLETE status. Determine which CA personal certificate to revoke.
- Revoke a CA personal certificate.
Use the revokeCACertificate command to revoke the CA personal certificate of interest. We must specify the name of the keystore, certificate alias, and revocation password using the following parameters:
Required parameters. This table describes the revokeCACertificate command and its optional parameters:Parameter Description Data Type -keyStoreName Name of the keystore where the CA personal certificate is stored. The value of this field is not a path to the keystore file. String -certificateAlias Unique name that identifies the CA personal certificate object and the alias name of the certificate in the keystore. String -revocationPassword Password needed to revoke the certificate. This is the same password that was provided when the certificate was created. String We can specify additional information with the following optional parameters:
Optional parameters. This table describes the revokeCACertificate command and its additional optional parametersParameter Description Data Type -keyStoreScope Management scope of the keystore. For a dmgr profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. To obtain a list of the keystore scope values, see the listManagementScopes command, which is part of the ManagementScopeCommands command group.
String -revocationReason Reason for revoking the certificate of interest. The default value for this parameter is unspecified. String The following example revokes a CA personal certificate:
AdminTask.revokeCACertificate('[-keyStoreName CellDefaultKeyStore -certificateAlias myCertificate -revocationPassword pw4revoke]')
- Save the configuration changes.
Save the configuration changes:
AdminConfig.save()
Configure certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin
Administer certificate authority clients using wsadmin
Start the wsadmin scripting client using wsadmin.sh
Related
CAClientCommands command group
PersonalCertificateCommands command group
ManagementScopeCommands command group