WAS v8.5 > Reference > Sets

Convert certificates

Use this page to convert certificates to the selected security standard. All certificates in keystores associated with an Secure Socket Layer (SSL) configuration are converted.

To view this dmgr console page, click Security > SSL certificate and key management > Manage FIPS > Convert certificates.

Algorithm

Signature algorithm used to convert the certificate to the selected security standard.

The following choices are available:

Strict

Select for the strict enforcement of the SP800-131 standard.

Strict enforcement of SP800-131 requirements on WAS includes the following:

• The use of the TLSv1.2 protocol for the SSL context.
• Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
• Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:
  • SHA256withRSA
  • SHA384withRSA
  • SHA512withRSA
  • SHA256withECDSA
  • SHA384withECDSA
  • SHA512withECDSA

• SP800-131 approved Cipher suites

Suite B with 128 bit keys

This requirement places some tighter restrictions on the SP800-131 specification. 128-bit mode certificates must be signed with SHA256withECDSA.

Suite B with 192 bit keys

192 bit mode certificates must be signed with SHA384withECDSA.

To run in 192-bit mode, the unrestricted policy files must be in place on the JDK.

New certificate key size

Key size to use when converting the certificates.

The valid values are 512, 1024, 2048, 4096 and 8192. Default is 2048.

Elliptical Curve signature algorithms require specific sizes, so you must provide a size.

Certificates that can not be converted

Lists the certificates that are not compliant with the specified security standard and cannot be converted.

If certificates show up listed in this box, the server is unable to convert the certificates for you. Replace these certificates with ones that meet Suite B requirements. Reasons why the server cannot convert the certificates might include:

• The certificate was created by a Certificate Authority (CA).

• The certificate is in a read-only keystore.

Related concepts:

WAS security standards configurations

Related

Configure WAS for the Suite B security standard
Configure WAS for SP800-131 standard strict mode
Transitioning WAS to the SP800-131 security standard
Configure Federal Information Processing Standard Java Secure Socket Extension files

Reference:

FIPSCommands command group for AdminTask

+

Search Tips   |   Advanced Search