Revoking certificate authority personal certificates using wsadmin

WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin
Revoking certificate authority personal certificates using wsadmin

We can revoke CA certificates from a certificate authority (CA). Revoke personal certificates that are no longer being used in your configuration.
Use the requestCACertificate command to create a personal certificate with the requestCACertificate task before we can request the certificate authority revoke the certificate. Certificates created with the requestCACertificate command have an associated reference object in the configuration used to submit the certificate revocation request to the certificate authority.
This topic uses the revokeCACertificate command to submit a request to revoke a certificate on the certificate authority. We can only revoke a certificate that was created with the requestCACertificate command. Specify the revocation password that was provided when the certificate was created. Use the same password to revoke the certificate on the certificate authority.

Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
Determine the CA personal certificate to revoke.
Use the listPersonalCertificates command to view a list of all personal certificates and associated attributes for a specific keystore, as the following example demonstrates:
AdminTask.listPersonalCertificates('-keyStoreName CellDefaultKeyStore')

The command returns an attribute list for each personal certificate, including CA personal certificates. CA personal certificates only return the status attribute. We can revoke each CA personal certificates that returns a COMPLETE status. Determine which CA personal certificate to revoke.
Revoke a CA personal certificate.
Use the revokeCACertificate command to revoke the CA personal certificate of interest. Specify the name of the keystore, certificate alias, and revocation password using the following parameters:
Required parameters. This table describes the revokeCACertificate command and its optional parameters:

Parameter Description Data Type
-keyStoreName Name of the keystore where the CA personal certificate is stored. The value of this field is not a path to the keystore file. String
-certificateAlias Unique name that identifies the CA personal certificate object and the alias name of the certificate in the keystore. String
-revocationPassword Password needed to revoke the certificate. This is the same password that was provided when the certificate was created. String

We can specify additional information with the following optional parameters:
Optional parameters. This table describes the revokeCACertificate command and its additional optional parameters

Parameter Description Data Type
-keyStoreScope Specifies the management scope of the keystore. For a deployment manager profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. To obtain a list of the keystore scope values, see the listManagementScopes command, which is part of the ManagementScopeCommands command group. String
-revocationReason Specifies the reason for revoking the certificate of interest. The default value for this parameter is unspecified. String

The following example revokes a CA personal certificate:
AdminTask.revokeCACertificate('[-keyStoreName CellDefaultKeyStore -certificateAlias myCertificate -revocationPassword pw4revoke]')

Save your configuration changes.
Use the following command example to save your configuration changes:
AdminConfig.save()

Related

Configure certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin
Administer certificate authority clients using wsadmin
Start the wsadmin scripting client using wsadmin.sh

Reference:

CAClientCommands command group for AdminTask
PersonalCertificateCommands command group for AdminTask
ManagementScopeCommands command group for AdminTask

+
Search Tips | Advanced Search

Parameter	Description	Data Type
-keyStoreName	Name of the keystore where the CA personal certificate is stored. The value of this field is not a path to the keystore file.	String
-certificateAlias	Unique name that identifies the CA personal certificate object and the alias name of the certificate in the keystore.	String
-revocationPassword	Password needed to revoke the certificate. This is the same password that was provided when the certificate was created.	String

Parameter	Description	Data Type
-keyStoreScope	Specifies the management scope of the keystore. For a deployment manager profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. To obtain a list of the keystore scope values, see the listManagementScopes command, which is part of the ManagementScopeCommands command group.	String
-revocationReason	Specifies the reason for revoking the certificate of interest. The default value for this parameter is unspecified.	String