Managing certificates
The installation program creates a certificate for you. You can change the certificate, such as if you want to certify it with a certificate authority or update the certificate when it expires. After you change a certificate, you run the UpdateSignerCerts.sh command to permanently accept the certificate to prevent other command line tools to prompt to accept the certificate.
About this task
- About the IBM® WebSphere® Application Server Liberty Profile SSL configuration
The SSL key that is used by the application server is stored in the IS_install_path/wlp/usr/servers/iis/resources/security/iis-server-keystore.p12 file.
The keystore configuration is defined in the IS_install_path/wlp/usr/servers/iis/server.xml file:
<keyStore id="iis-server-keystore" location="${server.config.dir}/resources/security/iis-server-keystore.p12" password="${iis.keystore.password}" type="${iis.keystore.type}"/>
For more details about WebSphere Application Server Liberty Profile SSL configurations see Securing communications with the Liberty profile.
During installation, the SSL key and self-signed certificate is generated as follows:
IS_install_path/jdk/bin/keytool -genkeypair -alias iisSSL -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -dname subject_name -validity validity_days -storetype PKCS12 -keypass key_password -storepass key_password -keystore IS_install_path/wlp/usr/servers/iis/resources/security/iis-server-keystore.p12
Where the following values are replaced by the ones that are provided during the installation interview or from the response file:
- subject_name
- The key subject and issuer distinguished name. They are both identical
since the certificate is self-signed. The default value is as follows;
however, you can change the information to be more specific for your
organization during installation:
CN=current_host_name,OU=Software Group,O=IBM,C=US
- validity_days
- The number of days that the key is valid. The default value is 365.
- key_password
- The keystore password and key password. A different keystore password
and key password is not currently supported; both must be identical.
The default value is
iiskeypass
, which you can change during installation.
- About the IBM WebSphere Application Server SSL configuration
After installation, you can change the SSL server key:
- You can generate a new key and self-signed certificate, such as when your current certificate expires.
- You can have an existing certificate signed with a trusted certificate authority (CA).