SSL certificates for WebSphere Application Server Liberty Profile
After installation, you can change the SSL server key for IBM® WebSphere® Application Server Liberty Profile. You can generate a new key and self-signed certificate, such as when your current certificate expires. You can have an existing certificate signed with a trusted certificate authority (CA).
The SSL key that is used by the application server is stored in the IS_install_path/wlp/usr/servers/iis/resources/security/iis-server-keystore.p12 file.
The keystore configuration is defined in the IS_install_path/wlp/usr/servers/iis/server.xml file:
<keyStore id="iis-server-keystore"
location="${server.config.dir}/resources/security/iis-server-keystore.p12"
password="${iis.keystore.password}" type="${iis.keystore.type}"/>
For more details about WebSphere Application Server Liberty Profile SSL configurations see Securing communications with the Liberty profile.
During installation, the SSL key and self-signed certificate is generated as follows:
IS_install_path/jdk/bin/keytool -genkeypair -alias iisSSL -keyalg RSA ⇒
-keysize 2048 -sigalg SHA512withRSA -dname subject_name -validity ⇒
validity_days -storetype PKCS12 -keypass key_password ⇒
-storepass key_password -keystore IS_install_path/wlp/usr/⇒
servers/iis/resources/security/iis-server-keystore.p12
Where the following values are replaced by the ones that are provided during the installation interview or from the response file:
- subject_name
- The key subject and issuer distinguished name. They are both identical
since the certificate is self-signed. The default value is as follows;
however, you can change the information to be more specific for your
organization during installation:
CN=current_host_name,OU=Software Group,O=IBM,C=US
- validity_days
- The number of days that the key is valid. The default value is 2920 (8 years).
- key_password
- The keystore password and key password. A different keystore password
and key password is not currently supported; both must be identical.
The default value is
iiskeypass
, which you can change during installation.