Generating a new key and self-signed certificate for WebSphere Application Server Liberty Profile

Complete this task when a certificate expires or if you want to update information in the certificate.

Procedure

Determine the information that you want to use for the certificate.
If you are updating a certificate and want to use the same information as the existing certificate, but have forgotten what this information is, you can view the existing certificate.
Microsoft Internet Explorer
1. Open the IBM® InfoSphere® Information Server Web console in the browser and log in.
  https://<hostname>:9443/iis/console
2. Click the lock icon next to the secure URL and click View certificates in the pop-up window.
3. On the Details tab, select Subject and capture the information in the Field Value area. This is the information that is used to construct the distinguished name.
Mozilla Firefox
1. Open the IBM InfoSphere Information Server Web console in the browser and log in.
  https://<hostname>:9443/iis/console
2. Click the lock icon next to the secure URL and click More information in the pop-up window.
3. Click View Certificate.
4. On the Details tab, select Subject and capture the information in the Field Value area. This is the information that is used to construct the distinguished name.
Stop the application server:

Operating system Script

AIX® Solaris MetadataServer.sh stop

Linux® MetadataServer.sh stop

Windows MetadataServer.bat stop
Create a new keystore file with a newly generated key and self-signed certificate.
```
cd IS_install_path/wlp/usr/servers/iis/resources/security
IS_install_path/jdk/bin/keytool -genkeypair 
  -dname distinguished_name -keystore ./iis-server-keystore.p12
  -keypass key_password -storepass key_password -validity validity_days
  -alias iisSSL -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -storetype PKCS12
```
where:

distinguished_name

Defines the organizational information for the certificate. Refer to the information you collected in the first step, if you want to use the same information as before. Example:
CN=host.example.com,OU=MyOrganization,O=MyCompany,C=US

If you do not provide the -dname parameter and value, you will be prompted for the information.

Important: Set the Common Name (CN) field to the value of the InfoSphere Information Server host name, to be used by remote clients to access the server. As part of the SSL handshake, clients verify that the host name that is used to access the server matches the certificate CN value (or one of the values if there are multiple values).

key_password

Password for the keystore. The password can be made up of only printable characters from the US-ASCII character set. In IBM WebSphere® Application Server Liberty Profile, both the key password and store password must be set to the same value.

validity_days

The number of days that the certificate is valid before it expires. When it expires, you must generate another certificate.

Depending on your environment and browser, not all key algorithms (set by -keyalg and -keysize) might be supported.

For more information on the keytool utility, see Keytool.
If you use different values than in the original certificate for the key password (-storepass and -keypass), keystore type (-storetype), or key alias (-alias), then you must update the iis.keystore.type, iis.keystore.password, and iis.ssl.serverKeyAlias properties in the IS_install_path/wlp/usr/servers/iis/bootstrap.properties file to match the new values:
For example
```
iis.keystore.type=PKCS12
iis.keystore.password={aes}AG0caBXHAvGL+YXDfsSJ2CA4y2vWPm7FNZgPp7377Ry9
iis.ssl.serverKeyAlias=iisSSL
```
The password value must be specified as an encrypted string. To create this value, enter the following command:
```
IS_install_path/wlp/bin/securityUtility encode --encoding=aes
```
You are prompted for the password. Copy the output value and paste it into the IS_install_path/wlp/usr/servers/iis/bootstrap.properties file.

For more information on the securityUtility command, see securityUtility.

If you change the location of the keystore file (not recommended), do ... such and such... to the server.xml...
If you change the iis.keystore.password value, you must update the trust store password.
By default, the iis.keystore.password property in the IS_install_path/wlp/usr/servers/iis/bootstrap.properties file is also used to specify the password of the Liberty profile trust store, which is used for outbound SSL requests from the application server). This trust store is defined as follows in the IS_install_path/wlp/usr/servers/iis/server.xml file:
```
<keyStore id="iis-server-truststore"
  location="${server.config.dir}/resources/security/iis-server-truststore.jks"
  password="${iis.keystore.password}" type="${iis.truststore.type}"/>
```
To update the trust store password, run the following command:
```
IS_install_path/jdk/bin/keytool -storepasswd -storepass old_password -new new_password
  -keystore IS_install_path/wlp/usr/servers/iis/resources/security/iis-server-truststore.jks
```
Start the application server:

Operating system Script

AIX Solaris MetadataServer.sh run

Linux MetadataServer.sh run

Windows MetadataServer.bat run

Operating system	Script
AIX® Solaris	`MetadataServer.sh stop`
Linux®	`MetadataServer.sh stop`
Windows	`MetadataServer.bat stop`

Operating system	Script
AIX Solaris	`MetadataServer.sh run`
Linux	`MetadataServer.sh run`
Windows	`MetadataServer.bat run`