Set a certificate authority certificate as the default certificate
Use this topic to make a request to an external certificate authority (CA) to create a personal certificate. After the CA returns the certificate and the certificate is saved in the keystore, then we can use it as the server default personal certificate.
Configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to your third-party CA server.
After profile creation, the system is assigned a default chained personal certificate. Use the following steps to modify the application server to use a default personal certificate created by an external CA.
Tasks
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Verify that a certificate authority client exists in the configuration. Use the listCAClients command to query the environment for all existing certificate authority clients and configuration attributes, or the getCAClient command to return the configuration attributes for a specific certificate authority client. If the listCAClients or getCAClient commands do not return any attributes, then create a certificate authority client object before we can complete the remaining steps.
- List all certificate authority client objects in the configuration.
Use the listCAClients command to list all certificate authority clients in the configuration. If we do not provide a value for the -scopeName parameter, then the command queries the cell if we use a deployment manager profile or queries the node if we use an application server profile. Use the -all parameter to query the environment without using a specific scope:
print AdminTask.listCAClients('-all true')The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:
'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1) ] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Da ta_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertifi cate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Webspher e_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pa ssword ] [host ] ]' '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1) ] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Dat a_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertific ate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere _Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pas sword ] [host ] ]'- List the configuration attributes for a specific certificate authority client.
Use the getCAClient command to view the list of attributes for a specific certificate authority client:
print AdminTask.getCAClient('-caClientName myCAClient')The command returns an attribute list containing the attribute and value pairs for the specific certificate authority client:
'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementSc ope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphe re_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [por t 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [fre quencyCheck 0] [password ] [host ] ]'
- Optional: If a certificate authority client does not exist in the environment, then configure a CA client object.
- Optional: View the current default personal certificate.
Use the following listPersonalCertificates command to display the current default personal certificate to replace:
AdminTask.listPersonalCertificates('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):myCell01]')- Request a certificate from a certificate authority.
Before the current default personal certificate can be replaced, we must request a certificate from a certificate authority. We can create a new certificate request or use the createCertificateRequest command to use a predefined certificate request. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, then the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.
Parameter Description Data Type -certificateAlias Alias of the certificate. We can specify a predefined certificate request. String -keyStoreName Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String -caClientName Name of the CA client used to create the CA certificate. String -revocationPassword Password to use to revoke the certificate at a later date. String
Parameter Description Data Type -keyStoreScope application server profile, the default value is the node scope. String -caClientScope application server profile, the default value is the node scope. String -certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. String -certificateSize Size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default is 2048. String -certificateOrganization Organization portion of the distinguished name. String -certificateOrganizationalUnit Organizational unit portion of the distinguished name. String -certificateLocality Locality portion of the distinguished name. String -certificateState State portion of the distinguished name. String -certificateZip The zip code portion of the distinguished name. String -certificateCountry Country portion of the distinguished name. String Use the following example command syntax to request a certificate from a certificate authority:
AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -caClientName myCAClient -revocationPassword revokeCApw -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request:
AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')- Replace the server default personal certificate.
Use the following replaceCertificate command example to replace the existing default personal certificate with the newly created CA personal certificate:
AdminTask.replaceCertificate('-keyStoreName CellDefaultKeyStore -certificateAlias defaultPersonalCertificate -replacementCertificateAlias newCertificate')- Save the configuration changes.
AdminConfig.save()
The default personal certificate for the server is a certificate created by an external CA.
What to do next
If the CA client object was successfully created, then we can configure the application server to use a personal certificate created by an external CA.
Configure certificate authority client objects Create certificate authority (CA) personal certificates Start the wsadmin scripting client CAClientCommands PersonalCertificateCommands