SSL certificates for WebSphere Application Server Liberty Profile

After installation, you can change the SSL server key for IBM® WebSphere® Application Server Liberty Profile. You can generate a new key and self-signed certificate, such as when your current certificate expires. You can have an existing certificate signed with a trusted certificate authority (CA).

The SSL key that is used by the application server is stored in the IS_install_path/wlp/usr/servers/iis/resources/security/iis-server-keystore.p12 file.

The keystore configuration is defined in the IS_install_path/wlp/usr/servers/iis/server.xml file:

<keyStore id="iis-server-keystore"
  password="${iis.keystore.password}" type="${iis.keystore.type}"/>

For more details about WebSphere Application Server Liberty Profile SSL configurations see Securing communications with the Liberty profile.

During installation, the SSL key and self-signed certificate is generated as follows:

IS_install_path/jdk/bin/keytool -genkeypair -alias iisSSL -keyalg RSA ⇒
-keysize 2048 -sigalg SHA512withRSA -dname subject_name -validity ⇒
validity_days -storetype PKCS12 -keypass key_password ⇒
-storepass key_password -keystore IS_install_path/wlp/usr/⇒

Where the following values are replaced by the ones that are provided during the installation interview or from the response file:

The key subject and issuer distinguished name. They are both identical since the certificate is self-signed. The default value is as follows; however, you can change the information to be more specific for your organization during installation:
CN=current_host_name,OU=Software Group,O=IBM,C=US
The number of days that the key is valid. The default value is 2920 (8 years).
The keystore password and key password. A different keystore password and key password is not currently supported; both must be identical. The default value is iiskeypass, which you can change during installation.