When certificates expire, they can no longer be used by
the system. WebSphere® Application Server provides a
utility to monitor certificates that are close to expiration or have
already expired. You can schedule certificate monitoring, or you can
request certificate monitoring on demand. You can also configure options
for deleting expired certificates and for recreating certificates.
Before you begin
Important: For an expired certificate chain or an expired certificate authority
(CA) certificate chain, you are required to update the entire chain. You must generate a new
certificate chain that has the individual signer certificates. For a CA certificate chain, this may
require importing a new certificate chain, usually through a new certificate request file (CSR).
Important: The Certificate Expiration Monitor does not handle replacing client
self-signed certificates and is not capable of sending the new signer certificate needed for trust.
If the client is a web server plug-in, it will not be able to securely communicate with the
application server after self-signed certificate replacement.
WebSphere Application Server
notifies you when a certificate is about to expire. Complete the information required for
notification messaging in Notifications.
About this task
Complete the following configuration steps in the administrative
console:
Procedure
- Click Security > SSL certificate and key management >
Manage certificate expiration.
- Type a number for the number of days threshold in the Expiration
notification threshold field.
WebSphere Application
Server issues an expiration warning n number of days before
expiration.
- Select or check one or more of the following options:
- Expiration check notification. Select the method from
the list that you want to use to receive your notification.
- Automatically replace expiring self-signed certificates.
If you do not want to recreate the self-signed certificate, clear
the check box.
Attention: When using writable System Authorization
Facility (SAF) keyrings in your configuration, the certificate expiration
monitor does not replace expired certificates in the writable
SAF keyrings, but only provides a notification of the expiration.
- Delete expiring certificates and signers after replacement.
If you do not want to delete the expired certificates and signers,
clear the check box.
- Enable checking. If you do not want to have certificate
monitoring enabled, clear the check box.
- Enter the time of day when you want certificate monitoring
to take place to schedule the running of the certificate expiration
monitor.
- Select one of the following options:
- Check by calendar. For Weekday, enter the day
of week that you want to run the certificate expiration monitor.
For Repeat Interval, specify the frequency to run the certificate
monitor.
- Check by number of days. Enter a number for how frequently
the monitor runs, in number of days.
- Type the number of days before the threshold date in which
the certificate monitor warns that a certificate is about to be replaced.
When a certificate is within the expiration threshold, and automatic
replacement is enabled, certificates are replaced. This value specifies
the time period before the threshold when warnings are issued by the
certificate monitor concerning upcoming replacement dates.
-
Click Apply (Remember to restart the WebSphere Application Server so that these settings are
active.).
Results
After completing the settings, a certificate expiration monitor object and a schedule are
set up in the configuration. After you restart the WebSphere Application Server, the certificate
expiration monitor runs according to the configurations options that you just configured.
What to do next
You can generate reports that state which certificates have
expired. The reports identify the notifications of certificate replacements
and deletions. The report is sent according to the notification option
that you specified.