Create a new SSL certificate to replace an existing one in a node

When using the -asExistingNode option on the addNode command, we might be adding an existing node to a different machine. The default SSL certificate of the node does not contain the name of the machine the node is located on. In most scenarios, the subject DN of the default certificate does not make a difference. However, we might want to change the default certificate of the node to contain the hostname of the node.

To replace the default certificate of a node, create a new NodeDefaultKeyStore for the certificate and then replace the old certificate with the new one.

The certificate created by default on the WebSphere Application Server subjectDN is of the form cn=hostname, ou=<cell name>, ou=<node name>, o=ibm, c=us. When creating a new certificate we can also customize the subjectDN.

Create a new SSL certificate

1. Click...
   Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Additional Properties > Personal certificates > Create > Chained Certificate

2. Enter a certificate and alias name.

   This can be any name we choose as long as the alias does not already exist. It is just a label to identify the certificate in the keystore.

3. Enter a common name.

   This is typically the hostname the node is running on.

4. Optional: Fill in any of the other Subject DN related fields.

   If we want the subject DN to look like the default subjectDN on WAS, then enter:

   • IBM in the Organization field.
   • <cell name>,ou=<node name> in the Organization unit field.
   • Under the Country or region pull-down, select US.

5. Use the defaults for Root certificate used to sign the certificate, Key Size, and Validity Period or supply our own values.

6. Click Apply.

   We can also create a new chained certificate using the createChainedCertificate command. Read PersonalCertificateCommands command group for the AdminTask object for more information.

   We must now replace the old certificate with the one we just created. The replace certificate option not only replaces the old default certificate with a new one but also replaces any occurrences of the signer of the old certificate with the signer of the new certificate. The configuration is also checked for references to the alias name of the old certificate and replaces it with the alias name of the new certificate. To replace the old certificate with the new one, complete the remaining steps.

7. Click...
   Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Additional Properties > Personal certificates

8. Select the default certificate of the node, usually called default.

9. Click Replace.

10. Select the certificate alias name for the certificate we just created from the Replace with pull-down.

11. Click Delete old Certificate after replacement.

12. Click Apply.

    We can also create a new chained certificate using the replaceCertificate command.

What to do next

We can also replace default certificates in an entire cell.

Create new SSL certificates to replace existing ones in a cell

PersonalCertificateCommands