Replacing WebSphere Application Server Network Deployment certificates

To replace a certificate before it expires, or to use your own certificate, you can replace an IBM® WebSphere® Application Server Network Deployment certificate by specifying a different certificate for each node.

About this task

In clustered IBM InfoSphere® Information Server installations, all signer certificates must be stored in the CellDefaultTrustStore truststore. In stand-alone InfoSphere Information Server installations, all signer certificates must be stored in the NodeDefaultTrustStore truststore. These trust stores are the default locations for WebSphere Application Server Network Deployment signer certificates.

You can renew certificates in WebSphere Application Server. WebSphere Application Server generates a new certificate that replaces the old certificate.

Alternatively, you can replace a certificate with your own certificate, or you can use a certificate signed by a certificate authority. Refer to the WebSphere Application Server documentation for details.

Procedure

  1. Start the application server if it is not already started.
    Stand-alone installation:
    • Linux cue graphicUNIX cue graphic MetadataServer.sh
    • Windows cue graphic MetadataServer.bat
    Clustered installation:
    Start the deployment manager: startManager
  2. Log in to the WebSphere Application Server administrative console.
  3. Renew or replace the WebSphere Application Server certificate.
    For more information, see Replacing an existing personal certificate.
  4. Stop and restart all IBM WebSphere Application Server Network Deployment processes. For more information about restarting application server processes, see Restarting application server processes.
  5. Retrieve the signer certificate for the WebSphere Application Server client trust store. If the WebSphere Application Server client trust store does not include a signer certificate, the application server might fail.

    By default, WebSphere Application Server prompts you to accept the certificate if it is not trusted when you run the WebSphere Application Server command line utility, such as the serverStatus command or the stopServer command. Ensure that you accept the certificate before you stop or start WebSphere Application Server by using any other application, such as Microsoft Windows Services.

    See Secure installation for client signer retrieval in SSL for more information on retrieving the signer certificate and establishing trust for your certificate.

What to do next

Run the UpdateSignerCerts tool on the client tiers, engine tiers, and services tiers. For more information, refer to Running the UpdateSignerCerts command.