Replace an existing personal certificate

Occasionally, we need to replace an existing personal certificate with a new certificate. This task discusses how to replace the existing personal certificate in the keystore. It searches all keystores for a signer certificate extracted from the original personal certificate, and places the signer of the new personal certificate in it's place. It also updates all of the certificate alias references in the security configuration with the new one.

The current certificate and the certificate replacement must exist in the same keystore before we can replace a certificate.

Alternative Method: To replace a self-signed certificate using the wsadmin tool, use the replaceCertificate command of the AdminTask object. See PersonalCertificateCommands

Complete the following steps in the administrative console:

Tasks

1. Click...
   Security > SSL certificate and key management > Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key stores and certificates > [keystore ] > Additional Properties > Personal certificates

2. Select the certificate to be replaced. The alias list must include the certificate to be replaced and the certificate to replace it with.

3. Click Replace.

4. Select a replacement certificate alias from the list.

5. We can delete one of the following types of certificates:

   • Select Delete old certificate to delete the existing or expired certificate.

   • Select Delete old signers to delete the existing signer certificates.

6. Click Apply.

Your results depend on what we selected:

• If we selected Delete old certificate, the new certificate alias replaces all of the references to the certificate alias in the configuration.

• If we selected Delete old signers, the new signer certificate replaces all of the occurrences of the old signer certificates.

• If the new certificate alias replaces the existing alias, the WebSphere Application Server runtime checks to make sure that:
  • All of the SSL Configurations objects reference the certificate

  • The Dynamic SSL Configuration Selections objects and the SSL Configuration group objects reference the certificate.

• If we selected Delete old signers, the existing signer certificates are replaced.

• If we selected Delete old certificate, the existing certificate is deleted.

Related

1. SSL configurations
2. Dynamic outbound selection of Secure Sockets Layer configurations
3. Keystore configurations for SSL
4. PersonalCertificateCommands