Create a certificate authority request

To ensure SSL communication, servers require a personal certificate that is either self-signed, chained or signed by an external certificate authority (CA). We must first create a personal certificate request to obtain a certificate that is signed by a CA.

The keystore containing a personal certificate request must already exist.

Alternative Method: To create a certificate request using the wsadmin tool, use the createCertificateRequest command of the AdminTask object. See CertificateRequestCommands command group of the AdminTask object article.

Before using WebSphere Application Server to create a CA request, make sure that we know the requirements of the CA we are using. When the WAS SSL CA certificate request process is initiated from the administrative console, the Organization property is not marked as a required setting. However, when you request a certificate from some CAs, such as VeriSign, the Organization property is a required setting.

Tasks

1. Click Security > SSL certificate and key management > Key stores and certificates > keystore.

2. Click Personal certificate requests > New.

3. Type the full path of the certificate request file. The certificate request is created in this location.

4. Type an alias name in the Key label field. The alias identifies the certificate request in the keystore.

5. Type a common name (CN) value. This value is the CN value in the certificate distinguished name (DN).

6. We can configure one or more of the following optional values:

   1. Optional: Select a key size value. The valid key size values are 512, 1024, 2048, 4096, and 8192. The default key size value is 2048 bits.

   2. Optional: Type an organization value. This value is the O value in the certificate DN.

   3. Optional: Type an organizational unit value. This organizational unit value is the OU value in the certificate DN.

   4. Optional: Type a locality value. This locality value is the L value in the certificate DN.

   5. Optional: Type a state or providence value. This value is the ST value in the certificate DN.

   6. Optional: Type a zip code value. The zip code value is the POSTALCODE value in the certificate DN.

   7. Optional: Select a country value from the list. This country value is the C= value in the certificate request DN.

7. Click Apply.

The certificate request is created in the specified file location in the keystore. The request functions as a temporary placeholder for the signed certificate until we manually receive the certificate in the keystore.

Keystore tools (such as iKeyman and keyTool) cannot receive signed certificates generated by certificate requests from WAS. Similarly, WAS cannot accept certificates generated by certificate requests from other keystore utilities.

What to do next

Now we can receive the CA-signed certificate into the keystore to complete the process of generating a signed certificate for our server.

Subtopics

• Certificate request settings
  Use this page to verify the properties of a personal certificate request.
• Personal certificates collection
  Manage personal certificates.
• Self-signed certificates settings
  Create self-signed certificates.
• Personal certificate requests collection
  Manage personal certificate requests. Personal certificate requests are temporary place holders for certificates that will be signed by a certificate authority (CA).
• Personal certificate requests settings
  Create a new certificate request that can be extracted and sent to a certificate authority (CA).
• Extract certificate request
  Use this page to extract a certificate request to a file so it can be sent to a certificate authority (CA).
• Receiving a certificate issued by a certificate authority
  When a certificate authority (CA) receives a certificate request, it issues a new certificate that functions as a temporary placeholder for a CA-issued certificate. A keystore receives the certificate from the CA and generates a CA-signed personal certificate that WAS can use for SSL security.
• Replace a certificate
  Specify two certificates: the first selected certificate is replaced by the second selected certificate. The replace function replaces all the old signer certificates in key stores that are managed throughout the cell with the new signer from the new certificate. The same level of trust that was established with the old certificate is maintained. All places the certificate's alias is referenced in the security configuration will be replaced with the certificate's alias. The alias could be referenced on a security object like the SSL configuration, the dynamic outbound endpoint SSL configuration and key set groups.

Related:

SSL configurations

Keystore configurations for SSL

CertificateRequestCommands command group of the AdminTask object