+

Search Tips   |   Advanced Search

Certificate options during profile creation

Certificate options during profile creation...

Two panels are available during profile creation that allow us to make decisions about the default certificate and root certificate of the server.

The first panel, titled Security Certificate (Part 1), allows us to choose to import a certificate or to have WAS create the default certificate or the default root certificate of the server.

The second panel, titled Security Certificate (Part 2), either displays the information from the certificate imported from the previous panel, or, if we choose to have WAS create the certificate, enables us to change the subjectDN and the certificate validity period.

Customization of certificates can also be performed using the manageprofile command and from a silent install response file.


Import the default certificate of the server during profile creation

If the default certificate of the server is imported during profile creation, it is added to NodeDefaultKeyStore if on a stand-alone application server, or to CellDefaultKeyStore if on a deployment manager. The imported certificate signer is added to NodeDefaultTrustStore or CellDefaultTrustStore.

To import the default certificate of the server, we must have a personal certificate stored and a keystore that we have access to. We must know the location, type and password of the keystore. On the Security Certificate (Part 1) panel, do the following:

  1. Select Import an existing default personal certificate.

  2. Type or select the keystore file name.

  3. Enter the password of the keystore.

  4. Select a keystore type from the pull-down list.

  5. If we have correctly filled in all information from the previous 3 steps, we are able to select a certificate alias from the pull-down list.

The certificate we choose is imported to the default keystore of the server. The next panel, Security Certificate (Part 2) displays the issuedTo and issuedBy certificate information.

If we use the manageprofiles command to import the default certificate, the options are:

-importPersonalCertKS keystore_path keystore file location
-importPersonalCertKSType keystore_type type of the keystore
-importPersonalCertKSPassword keystore_password password to open the keystore
-importPersonalCertKSAlias keystore_alias alias of the certificate used from the keystore


Import the root certificate of the server during profile creation

If the server root certificate is imported during profile creation, the certificate is added to NodeDefaultRootStore on a stand-alone application server or to DmgrDefaultRootStore on a deployment manager. The signer is pulled from the imported root certificate and added to NodeDefaultTrustStore or CellDefaultTrustStore. The root certificate is used by WAS to sign any chained certificates it creates. If no default certificate is provided during profile creation, WAS uses the root certificate to sign the default certificate of the server.

To import the default certificate of the server, we must have a personal certificate stored and a keystore that we have access to. We must know the location, type and password of the keystore. On the Security Certificate (Part 1) panel, do the following:

  1. Select Import an existing root signing certificate.

  2. Type or select the keystore file name.

  3. Enter the password of the keystore.

  4. Select a keystore type from the pull-down list.

  5. If we have correctly filled in all information from the previous 3 steps, we are able to select a certificate alias from the pull-down list.

The certificate we choose is imported to the root keystore of the server. The next panel, Security Certificate (Part 2) displays the issuedTo and issuedBy certificate information.

If we use the manageprofiles command to import the root certificate, the options are:

-importSigninglCertKS keystore_path keystore file location
-importSigningCertKSType keystore_type type of the keystore
-importSigningCertKSPassword keystore_password the password to open the keystore
-importSigningCertKSAlias keystore_alias alias of the certificate used from the keystore


Customize the default certificate created by WAS

If we choose to let WAS create the default certificate of the server, we can customize the subject distinguished name (DN) and the life span of the certificate.

To customize the default certificate of the server on the Security Certificate (Part 1) panel, do the following:

  1. Select Create a new default personal certificate.

  2. On the next panel, Security Certificate (Part 2), the Issued to distinguished name field contains the WAS default DN. Replace this with our customized DN.
  3. In Expiration period in years, select the number of years we want the certificate to be valid for.

If we use the manageprofiles command to customize the default certificate, the options are:

-personalCertDN distinguished_name the DN to give to the certificate
-personalCertValidityPeriod validity_period the life span to give to the certificate


Customize the root certificate created by WAS

If we choose to let WAS create the root certificate, we can customize the DN of the certificate and the life span of the certificate.

To customize the root certificate of the server on the Security Certificate (Part 1) panel, do the following:

  1. Select Create a new root signing certificate.

  2. On the next panel, Security Certificate (Part 2), the Issued by distinguished name field contains the WAS default root certificate DN. Replace this with our customized DN.
  3. In Expiration period in years, select the number of years we want the root certificate to be valid for.

If we use the manageprofiles command to customize the root certificate, the options are:

-signingCertDN distinguished_name DN to give to the root certificate
-signingCertValidityPeriod validity_period life span to give to the root certificate

  • manageprofiles command