Convert certificates
Convert certificates to the selected security standard. All certificates in keystores associated with an Secure Socket Layer (SSL) configuration are converted.
From the admin console, click...
Security > SSL certificate and key management > Manage FIPS > Convert certificates.
Algorithm
Signature algorithm used to convert the certificate to the selected security standard.
The following choices are available:
- Strict
- Select for the strict enforcement of the SP800-131 standard.
Strict enforcement of SP800-131 requirements on WebSphere Application Server includes the following:
- The use of the TLSv1.2 protocol for the SSL context.
- Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
- Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
- SP800-131 approved Cipher suites
- Suite B with 128 bit keys
- This requirement places some tighter restrictions on the SP800-131 specification. 128-bit mode certificates must be signed with SHA256withECDSA.
- Suite B with 192 bit keys
- 192 bit mode certificates must be signed with SHA384withECDSA.
To run in 192-bit mode, the unrestricted policy files must be in place on the JDK.
New certificate key size
Key size to use when converting the certificates.
The valid values are 512, 1024, 2048, 4096 and 8192. The default is 2048.
Elliptical Curve signature algorithms require specific sizes, so provide a size.
Certificates that can not be converted
Lists the certificates that are not compliant with the specified security standard and cannot be converted.
If certificates show up listed in this box, the server is unable to convert the certificates for you. We must replace these certificates with ones that meet Suite B requirements. Reasons why the server cannot convert the certificates might include:
- The certificate was created by a Certificate Authority (CA).
- The certificate is in a read-only keystore.
Related:
WAS security standards configurations Configure WAS for the Suite B security standard Configure WAS for SP800-131 standard strict mode Transitioning WAS to the SP800-131 security standard Configure Federal Information Processing Standard Java Secure Socket Extension files FIPSCommands