Creating certificate authority (CA) personal certificates using the wsadmin tool
Use this topic to create CA certificates from a certificate authority (CA).
Before you begin
About this task
Procedure
- Optional: Query your configuration for keystores
to determine where system stores the new CA certificate. Use the listKeyStores command to list all keystores for a specific management scope. Specify the -scopeName parameter to display keystores within a specific management scope, or set the -all parameter to true to display all keystores regardless of scope. The following example lists all keystores in your configuration:
The command returns the following sample output:AdminTask.listKeystores('-all true')CellDefaultKeyStore(cells/myCell|security.xml#KeyStore_1) CellDefaultTrustStore(cells/myCell|security.xml#KeyStore_2) CellLTPAKeys(cells/myCell|security.xml#KeyStore_3) NodeDefaultKeyStore(cells/myCell|security.xml#KeyStore_1598745926544) NodeDefaultTrustStore(cells/myCell|security.xml#KeyStore_1476529854789)Use the getKeyStoreInfo command and specify the -keyStoreName parameter to return additional information about the keystore of interest, as the following example displays:
The command returns the following configuration information for the keystore of interest:AdminTask.getKeyStoreInfo('[-keyStoreName CellDefaultKeyStore]')[ [location ${CONFIG_ROOT}/cells/myCell/key.p12] [password *****] [_Webspher e_Config_Data_Id cells/myCell|security.xml#KeyStore_1] [_Websphere_Config_Da ta_Version ] [useForAcceleration false] [slot 0] [type PKCS12] [additionalKeySto reAttrs ] [fileBased true] [_Websphere_Config_Data_Type KeyStore] [customProvide rClass ] [hostList ] [createStashFileForCMS false] [description [Default key sto re for JenbCell01]] [readOnly false] [initializeAtStartup false] [managementScop e (cells/JenbCell01|security.xml#ManagementScope_1)] [usage SSLKeys] [provider I BMJCE] [name CellDefaultKeyStore] ] - Optional: Determine which CA client to use.
Use the listCAClients command to list the CA clients that exist in your configuration. Specify the -scopeName parameter to display CA clients within a specific management scope, or set the -all parameter to true to display all CA clients regardless of scope. The following example lists all CA clients in your configuration:
AdminTask.listCAClients('-all true') - Create a CA personal certificate. Use the requestCACertificate command to create a new CA personal certificate in your environment. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.
Table 1. Required parameters . Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority: Parameter Description Data type -certificateAlias Specifies the alias of the certificate. You can specify a predefined certificate request. String -keyStoreName Specifies the name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String -caClientName Specifies the name of the CA client that was used to create the CA certificate. String -revocationPassword Specifies the password to use to revoke the certificate at a later date. String Table 2. Additional parameters . You can also use the following parameters to specify additional certificate request options. If you do not specify an optional parameter, the command uses the default value. Parameter Description Data type -keyStoreScope Specifies the management scope of the keystore. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String -caClientScope Specifies the management scope of the CA client. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String -certificateCommonName Specifies the common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. String -certificateSize Specifies the size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default value is 2048. String -certificateOrganization Specifies the organization portion of the distinguished name. String -certificateOrganizationalUnit Specifies the organizational unit portion of the distinguished name. String -certificateLocality Specifies the locality portion of the distinguished name. String -certificateState Specifies the state portion of the distinguished name. String -certificateZip Specifies the zip code portion of the distinguished name. String -certificateCountry Specifies the country portion of the distinguished name. String Use the following example command syntax to request a certificate from a certificate authority:AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -CAClientName myCAClient -revocationPassword revokeCApw')The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request, as the following example displays:AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore') - Save your configuration changes. Use the following command example to save your configuration changes:
AdminConfig.save()