Certificate Options during profile creation

Starting in WebSphere® Application Server Version 7.0, you have several options available during profile creation concerning the default certificate and root certificate of the server.

The new certificate options enable you to:

Two new panels are available during profile creation that enable you to make decisions about the default certificate and root certificate of the server.

The first panel, titled Security Certificate (Part 1), enables you to choose to import a certificate or to have WebSphere Application Server create the default certificate or the default root certificate of the server for you.

The second panel, titled Security Certificate (Part 2), either displays the information from the certificate imported from the previous panel, or, if you choose to have WebSphere Application Server create the certificate, enables you to change the subjectDN and the certificate validity period.

Importing the default certificate of the server during profile creation

If the default certificate of the server is imported during profile creation, it is added to NodeDefaultKeyStore if on a stand-alone application server, or to CellDefaultKeyStore if on a deployment manager. The imported certificate signer is added to NodeDefaultTrustStore or CellDefaultTrustStore.

To import the default certificate of the server, you must have a personal certificate stored and a keystore that you have access to. You must know the location, type and password of the keystore. On the Security Certificate (Part 1) panel, do the following:
  1. Select Import an existing default personal certificate.
  2. Type or select the keystore file name.
  3. Enter the password of the keystore.
  4. Select a keystore type from the pull-down list.
  5. If you have correctly filled in all information from the previous 3 steps, you are able to select a certificate alias from the pull-down list.

The certificate you choose is imported to the default keystore of the server. The next panel, Security Certificate (Part 2) displays the issuedTo and issuedBy certificate information.

Importing the root certificate of the server during profile creation

If the server root certificate is imported during profile creation, the certificate is added to NodeDefaultRootStore on a stand-alone application server or to DmgrDefaultRootStore on a deployment manager. The signer is pulled from the imported root certificate and added to NodeDefaultTrustStore or CellDefaultTrustStore. The root certificate is used by WebSphere Application Server to sign any chained certificates it creates. If no default certificate is provided during profile creation, WebSphere Application Server uses the root certificate to sign the default certificate of the server.

To import the default certificate of the server, you must have a personal certificate stored and a keystore that you have access to. You must know the location, type and password of the keystore. On the Security Certificate (Part 1) panel, do the following:
  1. Select Import an existing root signing certificate.
  2. Type or select the keystore file name.
  3. Enter the password of the keystore.
  4. Select a keystore type from the pull-down list.
  5. If you have correctly filled in all information from the previous 3 steps, you are able to select a certificate alias from the pull-down list.

The certificate you choose is imported to the root keystore of the server. The next panel, Security Certificate (Part 2) displays the issuedTo and issuedBy certificate information.

Customizing the default certificate created by WebSphere Application Server

If you choose to let WebSphere Application Server create the default certificate of the server, you can customize the subject distinguished name (DN) and the life span of the certificate.

To customize the default certificate of the server on the Security Certificate (Part 1) panel, do the following:

  1. Select Create a new default personal certificate.
  2. On the next panel, Security Certificate (Part 2), the Issued to distinguished name field contains the WebSphere Application Server default DN. Replace this with your customized DN.
  3. In Expiration period in years, select the number of years you want the certificate to be valid for.

Customizing the root certificate created by WebSphere Application Server

If you choose to let WebSphere Application Server create the root certificate, you can customize the DN of the certificate and the life span of the certificate.

To customize the root certificate of the server on the Security Certificate (Part 1) panel, do the following:
  1. Select Create a new root signing certificate.
  2. On the next panel, Security Certificate (Part 2), the Issued by distinguished name field contains theWebSphere Application Server default root certificate DN. Replace this with your customized DN.
  3. In Expiration period in years, select the number of years you want the root certificate to be valid for.
Concept topic    

Terms of Use | Feedback

Last updated: Oct 22, 2010 12:21:29 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-zos&topic=csec_cert_options
File name: csec_cert_options.html