Create certificate authority (CA) personal certificates using wsadmin
Overview
Use this topic to create CA certificates from a certificate authority (CA).
You must configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to the third-party CA server.
Create a CA personal certificate using a CA client.
- Query the configuration for keystores to determine where system stores the new CA certificate.
Use the listKeyStores command to list all keystores for a specific management scope.
To display keystores within a specific management scope, specify the -scopeName parameter, or set the parameter -all o true to display all keystores regardless of scope.
The following example lists all keystores in the configuration:
AdminTask.listKeystores('-all true')The command returns the following sample output:
CellDefaultKeyStore(cells/myCell|security.xml#KeyStore_1)
CellDefaultTrustStore(cells/myCell|security.xml#KeyStore_2)
CellLTPAKeys(cells/myCell|security.xml#KeyStore_3)
NodeDefaultKeyStore(cells/myCell|security.xml#KeyStore_1598745926544)
NodeDefaultTrustStore(cells/myCell|security.xml#KeyStore_1476529854789)Use getKeyStoreInfo and specify the -keyStoreName parameter to return additional information about the keystore of interest...
AdminTask.getKeyStoreInfo('[-keyStoreName CellDefaultKeyStore]')The command returns the following configuration information for the keystore of interest:
[ [location ${CONFIG_ROOT}/cells/myCell/key.p12]
[password *****]
[_Websphere_Config_Data_Id cells/myCell|security.xml#KeyStore_1]
[_Websphere_Config_Da ta_Version ]
[useForAcceleration false]
[slot 0]
[type PKCS12]
[additionalKeySto reAttrs ]
[fileBased true]
[_Websphere_Config_Data_Type KeyStore]
[customProvide rClass ]
[hostList ]
[createStashFileForCMS false]
[description
[Default key sto re for JenbCell01]]
[readOnly false]
[initializeAtStartup false]
[managementScop e (cells/JenbCell01|security.xml#ManagementScope_1)]
[usage SSLKeys]
[provider I BMJCE]
[name CellDefaultKeyStore] ]- Determine which CA client to use.
Use listCAClients to list the CA clients that exist in the configuration. Specify the -scopeName parameter to display CA clients within a specific management scope, or set the -all parameter to true to display all CA clients regardless of scope.
The following example lists all CA clients in the configuration:
AdminTask.listCAClients('-all true')- Create a CA personal certificate.
Use requestCACertificate to create a new CA personal certificate in the environment. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.
Use requestCACertificate and the following required parameters to request a certificate from a certificate authority:
Parameter Description Data type -certificateAlias Alias of the certificate. You can specify a predefined certificate request. String -keyStoreName Name of the keystore object that stores the CA certificate. To display a list of available keystores, use listKeyStores
String -caClientName Name of the CA client that was used to create the CA certificate. String -revocationPassword to use to revoke the certificate at a later date. String We can also use the following parameters to specify additional certificate request options. If we do not specify an optional parameter, the command uses the default value.
Parameter Description Data type -keyStoreScope Management scope of the keystore. For a dmgr profile, the default value is the cell scope. For an appserver profile, the default value is the node scope. String -caClientScope Management scope of the CA client. For a dmgr profile, the default value is the cell scope. For an appserver profile, the default value is the node scope. String -certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For Web sites, the common name is frequently the DNS host name where the server resides. String -certificateSize Size of the certificate key. The valid values are 512, 1024, and 2048. The default value is 1024. String -certificateOrganization Organization portion of the distinguished name. String -certificateOrganizationalUnit Organizational unit portion of the distinguished name. String -certificateLocality Locality portion of the distinguished name. String -certificateState State portion of the distinguished name. String -certificateZip Zip code portion of the distinguished name. String -certificateCountry Country portion of the distinguished name. String
Use the following example command syntax to request a certificate from a certificate authority:
AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -CAClientName myCAClient -revocationPassword revokeCApw')The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request, as the following example displays:
AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore')- Save the configuration changes...
AdminConfig.save()
Results
The default personal certificate for the server is a certificate that is created by an external CA.
Related tasks
Set certificate authority client objects using wsadmin
Set a certificate authority certificate as the default certificate using wsadmin
Related
CAClientCommands
PersonalCertificateCommands