Create a self-signed certificate

We can create a self-signed certificate. WAS uses the certificate at runtime during the handshake protocol. Self-signed certificates are located in the default keystore.

Create a keystore before we can create a self-signed certificate.

Alternative Method: To create a self-signed certificate by , use the createSelfSignedCertificate command of the AdminTask object. For more information, see the PersonalCertificateCommands command group for the AdminTask object article.

Avoid trouble: Certificate aliases with embedded quotes in them can cause issues when the runtime attempts to use them. Do not use embedded quotes in a certificate alias.gotcha

Complete the following steps in the console:

1. Click Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ].

2. From Additional Properties, click Personal certificates.

3. Click Create a self-signed certificate.

4. Type a certificate alias name. The alias identifies the certificate request in the keystore.

5. Type a common name (CN) value. This value is the CN value in the certificate distinguished name (DN).

6. Type the validity period The default validity period value is 365 days.

7. We can configure one or more of the following optional values:

   1. Optional: Select a key size value. The default key size value is 2048 bits.

   2. Optional: Type an organization value. This value is the O value in the certificate DN.

   3. Optional: Type an organizational unit value. This organizational unit value is the OU value in the certificate DN.

   4. Optional: Type a locality value. This locality value is the L value in the certificate DN.

   5. Optional: Type a state or providence value. This value is the ST value in the certificate DN.

   6. Optional: Type a zip code value. This zip code value is the POSTALCODE value in the certificate DN.

   7. Optional: Select a country value from the list. This country value is the C= value in the certificate request DN.

8. Click Apply.

Results

You have created a self-signed certificate that resides in the keystore. The SSL configuration for the WAS runtime uses this certificate for SSL communication. Extract the signer of the self-signed certificate to add the signer to another keystore.

Subtopics

• Replace an existing personal certificate
  Occasionally, we need to replace an existing personal certificate with a new certificate. This task discusses how to replace the existing personal certificate in the keystore. It searches all keystores for a signer certificate extracted from the original personal certificate, and places the signer of the new personal certificate in it's place. It also updates all of the certificate alias references in the security configuration with the new one.

• Create a new SSL certificate to replace an existing one in a node
  When using the -asExistingNode option on the addNode command, you might be adding an existing node to a different machine. The default SSL certificate of the node does not contain the name of the machine the node is located on. In most scenarios, the subject DN of the default certificate does not make a difference. However, you might want to change the default certificate of the node to contain the hostname of the node.

• Create new SSL certificates to replace existing ones in a cell
  To replace default SSL certificates in an entire cell, create a new self-signed root certificate in the root keystore, DmgrDefaultRootStore, and replace the old root certificate with the new one.

Related concepts

SSL configurations

Keystore configurations for SSL

Default chained certificate configuration in SSL

PersonalCertificateCommands command group for the AdminTask object