SSL certificate key sizes and key management

Edit online

The IBM WebSphere Application Server (WAS) default certificates are stored in a default keystore NodeDefaultKeyStore.

This keystore has the type PKCS12, which is the default Java™ keystore type. Every stored certificate in a keystore was created with a certain key size.

The certificates in a keystore can be viewed using the administration console navigation path:

Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates

Figure 1. The general properties show also the key size for the public key in the certificate

Screenshot showing the properties for personal certificates

The default certificate key size (used when creating new certificates) can be changed by adding a specific property. The administration console navigation path is:

Security > Global security > Custom properties

Figure 2. Custom property for default certificate key size

Screenshot of custom properties

The added property is ssl.client.props:com.ibm.ssl.defaultCertReqKeySize with the new default key size (for example, 2048-bit or 4096-bit).

Newly created certificates use the key size from this property as a default.