Adding trusted certificates in Liberty
For secure communication with another process over HTTPS, add the public certificate of the other process as a signer certificate to a Liberty truststore.
About this task
Many variations exist in the way you can configure certificates and truststores. This procedure covers only common configurations.
Procedure
- Obtain the public certificate from the other process.
You can obtain the public certificate by using a web browser or open source tools. If you have direct access to the keystore of the other process, the key can be extracted from it. Use one of the following three methods. Steps might change slightly over time as browsers and open source tools are updated.
- Use a web browser to obtain the public certificate.
- In Firefox, click the padlock icon to the left of the URL.
- Click the right arrow.
- Click More Information.
- Click View Certificate.
- Click Details.
- Click Export.
- Select a file name, and then save the file as an x.509 certificate.
- Run the openssl command to obtain a certificate.
- Run the following command and capture the
output:
Use a port value of 443 unless you configured a different port for the HTTPS protocol. The HTTPS protocol is not specified in the command.echo q | openssl s_client -showcerts -connect (hostname):(port)
- From the output that you captured, copy the first certificate.Include the following lines and the information between these lines.
"-----BEGIN CERTIFICATE-----"
"-----END CERTIFICATE-----"
- Run the following command and capture the
output:
- Extract the public certificate directly from the keystore file of the
server.
In a newly created Liberty keystore, only one key exists. The alias of the key is default.keytool -rfc -export -keystore (filename) -alias (alias) -file publickey.cer
- Use a web browser to obtain the public certificate.
- Add the certificate to a Liberty
truststore.
- Determine which file to modify.
Truststores are usually found in the resources/security path of the Liberty server. In the simplest default configuration, the key.jks file functions as both the keystore and the truststore.
Another common configuration consists of one file as a keystore, and another as a truststore.
Use of multiple truststores is possible. If you have this configuration, examine the server configuration to determine which files are to receive the certificate.
If you previously received an error message in the messages.log file, the error message might say which truststore needs to be updated.
- Make a backup copy of the key file in case any problems occur.
- Use the keytool command to add the certificate to the file.
keytool -importcert \ -file <certificate to trust> \ -alias <alias for the certificate> \ -keystore <name of the trustore> \ -storepass <password for the truststore> \ -storetype jks
- Determine which file to modify.
- Restart the server.

File name: twlp_add_trust_cert.html