Create new SSL certificates to replace existing ones in a cell

To replace default Secure Socket Layer (SSL) certificates in an entire cell, create a new self-signed root certificate in the root keystore, DmgrDefaultRootStore, and replace the old root certificate with the new one.

For the default certificate of the cell in CellDefaultKeyStore and the default certificate of each node in NodeDefaultKeyStore, create a new chained certificate and replace the old default certificate with the new certificate.

The root certificate is created by default on WebSphere Application Server, and has a subjectDN in the form...

cn=hostname, ou=Root Certificate, ou=<cell name>, ou=<node name>, o=ibm, c=us

When we create a new root certificate we can also customize the subject DN.

Create a new SSL root certificate

1. Click...
   Security > SSL certificate and key management > Key stores and certificates > Keystore usages > Root certificate keystore

   

2. Click...
   DmgrDefaultRootStore > Additional Properties > Personal certificates > Create > Self-signed Certificate

3. Enter a certificate and alias name.

   This can be any name we choose as long as the alias does not already exist. It is just a label to identify the certificate in the keystore.

4. In the Common name field, enter the fully qualified domain name of the computer where the WAS is installed. This is typically the hostname the node is running on.

5. Optional: Fill in any of the other Subject DN related fields. If we want the subject DN to look like the default subjectDN on WAS, then enter:
   • IBM in the Organization field.
   • <cell name>,ou=<node name> in the Organization unit field.
   • Under the Country or region pull-down, select US.

6. Use the defaults for Root certificate used to sign the certificate, Key Size, and Validity Period or supply our own values.

7. Click Apply > Save.

   We can also create a self-signed certificate using the createSelfSignedCertificate command.

Replace the old root certificate with the one we just created

We must now replace the old root certificate with the one we just created. The replace certificate option not only replaces the old default certificate with a new one but also replaces any occurrences of the signer of the old certificate with the signer of the new certificate. The configuration is also checked for references to the alias name of the old certificate and replaces it with the alias name of the new certificate. To replace the old certificate with the new one, complete the remaining steps.

1. In the Personal certificates page, select the check box for the older root certificate.

2. Click Replace.

3. From the Replace with list, choose the alias of the certificate we created.

4. Select Delete old certificate after replacement.

   Important: Be sure that the Delete old signer check box is not selected.

5. Click Apply > Save

Create a chained personal certificate in the default cell keystore

1. For the node we want to change, go to...
   Key stores and certificates > CellDefaultKeyStore > Additional Properties > Personal certificates > default certificate (usually default)

   

   Click...

   Create > Chained certificate

2. In the Alias field, enter a new personal certificate alias.

3. In the Root certificate used to sign the certificate pull-down list, select the alias root.

4. In the Common name field, enter the fully qualified domain name of the computer where the WAS is installed.

5. Click Apply > Save.

Replace the personal certificate in the default cell keystore

1. In the Personal certificates page, select the default check box.

2. Click Replace.

3. Select the certificate alias name for the new certificate we just created from the Replace with pull-down.

4. Select Delete old certificate after replacement.

   Important: Be sure that the Delete old signer check box is not selected.

5. Click Apply > Save

What to do next

We can also replace default certificates in a node.

Create a new SSL certificate to replace an existing one in a node

PersonalCertificateCommands