Retrieving signers from a remote SSL port
To perform SSL communication with a server, WebSphere Application Server must retrieve a signer certificate from a secure remote SSL port during the handshake. After the signer certificate is retrieved, we can add the signer certificate to a truststore.
The truststore that is to contain the signer certificate must already exist.
Alternative Method: To retrieve a signer certificate from a port using the wsadmin tool, use the retrieveSignerFromPort command of the AdminTask object. See SignerCertificateCommands command group for the AdminTask object article.
Tasks
- Click Security > SSL certificate and key management > Key stores and certificates > {select a resource} >Signer certificates > Retrieve from port.
- Click Retrieve from port.
- Type the host name of the machine on which the signer resides.
- Type the port location on the host machine on which the signer resides.
The port location is not limited to ports on WAS. The ports can include LDAP ports or ports on any server on which an SSL port is already configured, such as SIB_ENDPOINT_SECURE_ADDRESS.
- Select an SSL configuration for the outbound connection from the list.
- Type an alias name for the certificate.
- Click Retrieve signer information.
A message window displays information about the retrieved signer certificate, such as: the serial number, issued-to and issued-by identities, SHA hash, and expiration date. If a chained certificate is on the port, information about the root is displayed.
- Click Apply.
This action indicates that you accept the credentials of the signer.
The signer certificate retrieved from the remote port is stored in the truststore.
What to do next
An SSL configuration or client process that requires an SSL connection to the server can use the retrieved and approved signer certificate.
Subtopics
- Retrieve from port
Use this page to retrieve a signer certificate from a remote SSL port. The system connects to the specified remote SSL host and port and receives the signer during the handshake using an SSL configuration.
Related:
SSL configurations Dynamic outbound selection of Secure Sockets Layer configurations Keystore configurations for SSL SignerCertificateCommands