WAS v8.5 > Secure applications > Secure communications

Add a signer certificate to the default signers keystore

Signer certificates are added to a keystore on the client side of an SSL communication to establish trust with the server. There is common practice for keystores to have trust established when they are created. The DmgrDefaultSignersStore on a deployment manager and the NodeDefaultSignersStore on a stand alone application server are created to hold signer certificates used to establish trust by default in newly create keystores.

The default signers key store is created during profile creation and contains the signer certificate of the server default root certificate. Additional signer certificates can be added to the default signers key store at any time. Anytime a keystore is created using the admin console or using the createKeyStore AdminTask object in scripting, all signer certificates from the default signer store are added to the newly created keystore.

Alternative Method:

• To add a signer certificate to a default signer keystore using wsadmin, use the addSignerCertificate command of AdminTask.

• To create a new keystore using wsadmin, use the createKeyStore command of AdminTask.
• To extract the signer from a personal certificate using wsadmin, use the extractCertificate of AdminTask.
• To exchange a signer certificate using wsadmin, use the KeyStoreCommands command group for AdminTask.

For more information, see the SignerCertificateCommands command group for AdminTask article and the KeyStoreCommands command group for AdminTask article.

1. If the certificate is in a certificate file, it can be added to the default signer keystore using the dmgr console.

   1. Click Security > SSL certificate and key management.

   2. Under Related Items, click Key stores and certificates.
   3. c. Select Default signers keystore under KeyStore Usages. A panel displaying a list of keystores appears.

   4. Click on DmgrDefaultSignersStore.

   5. Under Additional Properties, click Signer certificates.

   6. Click Add .

   7. Enter an alias in the alias box, a path to the certificate file in the filename box, and an asterisk (•). Select the format of the certificate file from the pull down list in the “Data type” box.

   8. Click Apply then Save.

   We can also perform this addition using the AdminTask, addSignerCertificate.

2. If the signer certificate form of a personal certificate needs to be added to default signers keystore, we can extract the signer from the personal certificate to a certificate file or the signer can be extracted directly to the default signers keystore. To extract a signer certificate from a personal certificate to a certificate file,

   1. Click Security > SSL certificate and key management.

   2. Under Related Items, click Key stores and certificates.
   3. c. Select All under Keystore Usages. A panel displaying a list of keystores appears.

   4. Click on the keystore name

   5. Under Additional Properties, click Personal certificates.

   6. Select a personal certificate.

   7. Click Extract.

   8. Enter the path to the certificate file in “Certificate file name” box and select a format type from the pull down list in “Data type” box

   9. Click Apply then Save.
   10. The signer can be added to the default signers keystore by following step 1.

   We can also extract the signer from a personal certificate using scripting and the AdminTask extractCertificate.

3. To extract a signer certificate to the default signers keystore, an exchange of the signer certificate can be performed from the dmgr console.

   1. Click Security > SSL certificate and key management

   2. Under Related Items, click Key stores and certificates.
   3. c. Select All under Keystore Usages. A panel displaying a list of keystores appears.

   4. Click on the default signers keystore and the keystore containing the personal certificate whose signer certificate is needed.

   5. Click Exchange Signers.

   6. Select the personal certificate whose signer is needed.

   7. Click Add.

   8. Click Apply then Save.

   We can also perform the exchange using the AdminTask, exchangeSigner.

   A DataPower certificate can be removed from the default signers keystore if it is present. If you are not using the DataPower appliance manager you should remove the DataPower certificate from the default trust store to avoid unintentional trust relationships. However, if you start to use DataPower appliance manager at a later date add the DataPower certificate back to the default trust store.

Results

When these steps are completed, the signer from the certificate file is stored in the default signers keystore. We can see the signer in the keystore files list of signer certificates.

The new keystore will contain the default signers that were added to the default signers keystore.

Reference:

KeyStoreCommands command group for AdminTask
SignerCertificateCommands command group for AdminTask

+

Search Tips   |   Advanced Search