Before you begin
Why and when to perform this task
Use this procedure to plan for the signed SSL certificates that you need to get from a certificate authority (CA) to properly enable SSL security between a server and C++ clients that use SSL mutual certificate authentication. You can use this procedure to get a CA-signed certificate for a client.
You need to create a certificate for a C++ client only if the client is enabled to create secure connections with a server based on SSL using client certificates. In this case, WebSphere Application Server assumes that you have created and installed a unique certificate for the client (and another for the server).
In a production WebSphere network, the production certificates are authenticated to verify the principal using the certificate. The principal is authenticated by a CA when the CA signs the principal's certificate. Because of the diligence that is expected of the CA, as described in "Certificate authorities", the authentication process for principals can take a significant amount of time. Commercial CAs often require up to a week to complete their authentication process. Even on-site CAs can take up to several days to complete their authentication process.
As a result, when you plan to add a new application server, you must plan for the certificates that you will need in advance of actually creating the server or client.
On the certificate signing request that you send to the CA, you need to specify the common name for the certificate. This is the primary, universal identity for the certificate that uniquely identifies the principal that it represents. For a server, a common convention is to use the server name. For a client, a common convention is to use a unique name to represent the C++ secured client.
For some CAs, including the fully qualified name of your host in the common name is required. For example, some CAs will not sign your certificate unless the domain portion of the host name is owned by your organization. When you plan the common name for a certificate request, check the format that your CA requires.
On the certificate signing request that you send to the CA, specify the name and address of your organization. Some certificate authorities require that you completely spell out the state or province fields. For example, you need to specify California as opposed to CA. Thus, check the format requirements for your CA.
If you do not get a production certificate (from a CA) before you want to start using the SSL security based on the CA-signed certificate, you can start with either of the following, less secure, alternatives:
When you have received a signed certificate from a certificate authority, you can reconfigure the server and client so that they can use the certificate. From then on, the clients can access the server with the security provided by the certificate.
Note: If your client certificate is compromised or even if some other server in its trust-basis is compromised and you have to produce a replacement certificate, you can experience the same delay again until a new certificate is received. For more information about getting and installing server certificates, see Creating SSL certificates for a CORBA C++ client.