[17.0.0.4 and later]

Enabling SSL with third-party certificates

Run Liberty in an environment, where you must use existing third-party certificates that might be signed by a certificate authority that provides trust.

Before you begin

  1. Create a server.crt file that contains the certificate and a server.key file that contains the private key.
  2. Use the openssl command and the Java keytool command to create the trust.jks file and the key.jks file based on the server.crt file and the server.key file.

    Use the following example to create the keystore and truststore JKS files:

    1. Export the server CA certificate and key in Public Key Cryptography Standards 12 (PKCS12) format.
      openssl pkcs12 -export -in server.crt -inkey server.key -out key.p12 -name default -passout pass:mypassword
    2. Import the server PKCS12 file to the keystore key.jks file.
      keytool -importkeystore -deststorepass mypassword -destkeypass mypassword  -destkeystore key.jks -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias default
    3. Import the server CA certificate to the keystore trust.jks file.
      keytool -importcert -keystore trust.jks -storepass mypassword -file server.crt -alias default -noprompt
  3. Determine whether the SSL configuration is already created. To do so, check whether the secrets exist by running the following command:
    kubectl get secrets
    If the SSL configuration exists, then the following secrets are displayed:
    mb-keystore, mb-keystore-password, mb-truststore, mb-truststore-password

Procedure


Icon that indicates the type of topic Task topic

File name: twlp_icp_auto_ssl3.html