WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin

Create certificate authority (CA) personal certificates using wsadmin

Use this topic to create CA certificates from a certificate authority (CA).

You must configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to your third-party CA server.

Use the following information to create a CA personal certificate using a CA client.

  1. Optional: Query your configuration for keystores to determine where system stores the new CA certificate.

    Use the listKeyStores command to list all keystores for a specific management scope. Specify the -scopeName parameter to display keystores within a specific management scope, or set the -all parameter to true to display all keystores regardless of scope. The following example lists all keystores in your configuration:

      AdminTask.listKeystores('-all true')
    The command returns the following sample output:
    CellDefaultKeyStore(cells/myCell|security.xml#KeyStore_1)
    CellDefaultTrustStore(cells/myCell|security.xml#KeyStore_2)
    CellLTPAKeys(cells/myCell|security.xml#KeyStore_3)
    NodeDefaultKeyStore(cells/myCell|security.xml#KeyStore_1598745926544)
    NodeDefaultTrustStore(cells/myCell|security.xml#KeyStore_1476529854789)

    Use the getKeyStoreInfo command and specify the -keyStoreName parameter to return additional information about the keystore of interest, as the following example displays:

      AdminTask.getKeyStoreInfo('[-keyStoreName CellDefaultKeyStore]')
    The command returns the following configuration information for the keystore of interest:
    [ [location ${CONFIG_ROOT}/cells/myCell/key.p12] [password *****] [_Webspher
    e_Config_Data_Id cells/myCell|security.xml#KeyStore_1] [_Websphere_Config_Da
    ta_Version ] [useForAcceleration false] [slot 0] [type PKCS12] [additionalKeySto
    reAttrs ] [fileBased true] [_Websphere_Config_Data_Type KeyStore] [customProvide
    rClass ] [hostList ] [createStashFileForCMS false] [description [Default key sto
    re for JenbCell01]] [readOnly false] [initializeAtStartup false] [managementScop
    e (cells/JenbCell01|security.xml#ManagementScope_1)] [usage SSLKeys] [provider I
    BMJCE] [name CellDefaultKeyStore] ]

  2. Optional: Determine which CA client to use.

    Use the listCAClients command to list the CA clients that exist in your configuration. Specify the -scopeName parameter to display CA clients within a specific management scope, or set the -all parameter to true to display all CA clients regardless of scope. The following example lists all CA clients in your configuration:

      AdminTask.listCAClients('-all true')

  3. Create a CA personal certificate.

    Use the requestCACertificate command to create a new CA personal certificate in the environment. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.

    Required parameters. Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority:

    Parameter Description Data type
    -certificateAlias Alias of the certificate. We can specify a predefined certificate request. String
    -keyStoreName Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String
    -caClientName Name of the CA client that was used to create the CA certificate. String
    -revocationPassword Password to use to revoke the certificate at a later date. String

    Additional parameters. We can also use the following parameters to specify additional certificate request options. If we do not specify an optional parameter, the command uses the default value.

    Parameter Description Data type
    -keyStoreScope Specifies the management scope of the keystore. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -caClientScope Specifies the management scope of the CA client. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. String
    -certificateSize Size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default value is 2048. String
    -certificateOrganization Organization portion of the distinguished name. String
    -certificateOrganizationalUnit Organizational unit portion of the distinguished name. String
    -certificateLocality Locality portion of the distinguished name. String
    -certificateState State portion of the distinguished name. String
    -certificateZip Specifies the zip code portion of the distinguished name. String
    -certificateCountry Country portion of the distinguished name. String

    Use the following example command syntax to request a certificate from a certificate authority:

    AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore 
    -CAClientName myCAClient -revocationPassword revokeCApw')

    The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request, as the following example displays:

      AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore')

  4. Save your configuration changes.

    Use the following command example to save your configuration changes:


Results

The default personal certificate for the server is a certificate that is created by an external CA.


Related


Configure certificate authority client objects using wsadmin
Set a certificate authority certificate as the default certificate using wsadmin


Reference:

CAClientCommands command group for AdminTask
PersonalCertificateCommands command group for AdminTask


+

Search Tips   |   Advanced Search