Use this topic to make a request to an external certificate authority (CA) to create a personal certificate. After the CA returns the certificate and the certificate is saved in the keystore, then you can use it as the server default personal certificate.
You must configure a CA client object in your environment. The client object contains all of the configuration information necessary to connect to your third-party CA server.
After profile creation, the system is assigned a default chained personal certificate. Use the following steps to modify the application server to use a default personal certificate created by an external CA.
print AdminTask.listCAClients('-all true')
'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Da
ta_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertifi
cate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Webspher
e_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pa
ssword ] [host ] ]'
'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Dat
a_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertific
ate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere
_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pas
sword ] [host ] ]'
print AdminTask.getCAClient('-caClientName myCAClient')
'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementSc
ope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphe
re_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [por
t 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u
serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [fre
quencyCheck 0] [password ] [host ] ]'
AdminTask.listPersonalCertificates('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):myCell01]')
Parameter | Description | Data Type |
---|---|---|
-certificateAlias | Specifies the alias of the certificate. You can specify a predefined certificate request. | String |
-keyStoreName | Specifies the name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. | String |
-caClientName | Specifies the name of the CA client that was used to create the CA certificate. | String |
-revocationPassword | Specifies the password to use to revoke the certificate at a later date. | String |
Parameter | Description | Data Type |
---|---|---|
-keyStoreScope | Specifies the management scope of the keystore. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. | String |
-caClientScope | Specifies the management scope of the CA client. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. | String |
-certificateCommonName | Specifies the common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. | String |
-certificateSize | Specifies the size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default value is 2048. | String |
-certificateOrganization | Specifies the organization portion of the distinguished name. | String |
-certificateOrganizationalUnit | Specifies the organizational unit portion of the distinguished name. | String |
-certificateLocality | Specifies the locality portion of the distinguished name. | String |
-certificateState | Specifies the state portion of the distinguished name. | String |
-certificateZip | Specifies the zip code portion of the distinguished name. | String |
-certificateCountry | Specifies the country portion of the distinguished name. | String |
AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName
CellDefaultKeyStore -caClientName myCAClient -revocationPassword revokeCApw
-pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName
CellDefaultKeyStore -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
AdminTask.replaceCertificate('-keyStoreName CellDefaultKeyStore -certificateAlias
defaultPersonalCertificate -replacementCertificateAlias newCertificate')
AdminConfig.save()
The default personal certificate for the server is a certificate that is created by an external CA.
If the CA client object was successfully created, then you can configure the application server to use a personal certificate created by an external CA.