To ensure Secure Sockets Layer (SSL) communication, servers
require a personal certificate that is either self-signed, chained
or signed by an external certificate authority (CA). You must first
create a personal certificate request to obtain a certificate that
is signed by a CA.
Before you begin
The keystore that contains a personal certificate request
must already exist.Alternative Method: To
create a certificate request by using the wsadmin tool, use the createCertificateRequest command
of the AdminTask object. For more information, see the CertificateRequestCommands
command group of the AdminTask object article.
Avoid trouble: Before you use WebSphere® Application Server to create a CA
request, make sure that you know the requirements of the CA you are
using. When the WebSphere Application Server SSL
CA certificate request process is initiated from the administrative
console, the Organization property is not marked as a required setting.
However, when you request a certificate from some CAs, such as VeriSign,
the Organization property is a required setting.
About this task
Complete the following steps in the administrative console:
Procedure
- Click .
- Click .
- Type the full path of the certificate request file.
The certificate request is created in this location.
- Type an alias name in the Key label field.
The alias identifies the certificate request in the keystore.
Any empty space is removed from the certificate alias when the certificate
request is created. A certificate alias with empty space might cause compatibility issues among Java™ versions.
- Type a common name (CN) value.
This value is
the CN value in the certificate distinguished name (DN).
- You can configure one or more of the following optional values:
- Select a key size value. The valid key size values are 512, 1024, 2048, 4096, and 8192. The
default key size value is 2048 bits.
- Type an organization value. This value is the O value in the certificate DN.
Note: If you
specify a (,) comma in the organizational value, then the comma must be enclosed in double quotes
(") or escaped with a backward slash (\). If a distinguished name string value contains a comma and
is not specified in this way, the organizational value is in error as an invalid name. Correct
specification is in these examples:
- specify X and Y Services, Inc. as:
"X and Y Services, Inc."
OR X and Y
Services\, Inc.
- specify X, Y, and Z Company as:
"X, Y, and Z Company"
OR X\, Y\, and Z
Company
- Type an organizational unit value. This organizational unit value is the OU value in the
certificate DN.
Note: If you specify a (,) comma in the organizational unit value, then the comma
must be enclosed in double quotes (") or escaped with a backward slash (\). If a distinguished name
string value contains a comma and is not specified in this way, the organizational unit value is in
error as an invalid name. Correct specification is in these examples:
- specify Sales, Distribution as:
"Sales, Distribution"
OR Sales\,
Distribution
- specify Inventory, Control, and Marketing as:
"Inventory, Control, and
Marketing"
OR Inventory\, Control\, and Marketing
- Type a locality value. This locality value is the L value in the certificate DN.
- Type a state or providence value. This value is the ST value in the certificate DN.
- Type a zip code value. The zip code value is the POSTALCODE value in the certificate
DN.
- Select a country value from the list. This country value is the C= value in the certificate
request DN.
- Select a signature algorithm. The default is RSAwithSHA256.
- Select one or more key usages for the certificate. By default, none
are included.
- Select one or more extended key usages for the certificate. By
default, none are included.
- Type an email address to be part of the certificate subject
alternative name.
- Type a DNS name to be part of the certificate subject alternative
name.
- Type an IP address to be part of the certificate subject alternative
name.
- Click Apply.
Results
The certificate request is created in the specified file location in the keystore. The
request functions as a temporary placeholder for the signed certificate until you manually receive
the certificate in the keystore. Note: Keystore tools (such as iKeyman and keyTool) cannot receive
signed certificates that are generated by certificate requests from WebSphere Application Server. Similarly, WebSphere Application Server cannot accept certificates that are generated by
certificate requests from other keystore utilities.
Important: For an expired
certificate chain or an expired certificate authority (CA) certificate chain, you are required to
update the entire chain. You must generate a new certificate chain that has the individual
signer certificates. For a CA certificate chain, this may require importing a new certificate chain,
usually through a new certificate request file (CSR).
What to do next
Now you can receive the CA-signed certificate into the keystore
to complete the process of generating a signed certificate for your
server.