Add the correct SSL Signer certificates to the plug-in keystore

Personal certificates contain a private key and a public key. We can extract the public key, called the signer certificate, to a file, then import the certificate into another keystore. During an SSL connection, the server sends it's personal certificate to the client. The client must have the correct signer certificate to match it.

Complete this procedure for each WebSphere Application Server node. If multiple WAS nodes that use the same exact personal certificate, then add only the corresponding signer certificate once to the plug-in keystore.

1. Click...
   Security | SSL certificate and key management | Manage endpoint security configurations | NodeDefaultSSLSettings | Keystores and certificates | NodeDefaultKeyStore | Personal certificates

2. You see a chained certificate.

   The personal certificate is the first one in the chain. The signer certificate is the second one in the chain. Look at the CN in the signer certificate. Also, look at the serial number of the signer certificate. This certificate is the exact signer certificate to use.

3. Click to return to the Keystores and certificates page.

4. Click...
   NodeDefaultTrustStore | Signer certificates

5. Find the signed certificate with the matching CN and serial number from step 6 and check the box next to it. Click Extract.

6. Enter a temporary path and file name, such as...
   tmp/nodeRootSigner.arm

7. Click OK.

8. Click to return to the Manage endpoint security configurations page.

9. Find the node containing the web server definition.

   We must look inside the node and look inside the servers folder to find the web server. Click the web server name.

10. Click...
    Keystores and certificates | CMSKeyStore

    CMSKeyStore Is a link to the plugin-key.kdb file.

11. Click Signer certificates and then click Add.

12. Enter an Alias and the path and file name from step 11.

13. Click OK.

14. Click Save to save the changes.

15. Repeat steps 12-18 for each WebSphere Application Server node.

    If multiple WebSphere Application Server nodes use the same personal certificate, then add only the corresponding signer certificate once to the plug-in keystore.

16. Click...
    Servers | Server Types | Web servers | web server | Plug-in properties | Copy to Web server key store directory

17. Stop and restart the webserver to test and ensure that the connection is able to connect successfully.

Results

The signer portion of the personal certificate is stored in the file provided.

What to do next

The signer can now be imported into other keystores.

Subtopics

• Extract certificate
  
• Extract signer certificate
  
• Retrieve signers using the retrieveSigners utility at the client
  
• Change the signer auto-exchange prompt at the client
  

Related concepts

SSL configurations

Dynamic outbound selection of SSL configurations

Keystore configurations for SSL

PersonalCertificateCommands (AdminTask)