To replace default Secure Socket Layer (SSL) certificates
in an entire cell, you must create a new self-signed root certificate
in the root keystore, DmgrDefaultRootStore, and replace the old root
certificate with the new one.
About this task
For the default certificate of the cell in CellDefaultKeyStore
and the default certificate of each node in NodeDefaultKeyStore, create
a new chained certificate and replace the old default certificate
with the new certificate.
The root certificate is created by
default on WebSphere® Application
Server, and has a subjectDN in the form cn=<hostname>, ou=Root
Certificate, ou=<cell name>, ou=<node name>, o=ibm, c=us.
When you create a new root certificate you can also customize the
subject DN.
To create a new SSL root certificate in the administrative
console:
Procedure
- Create the new SSL root certificate. Click Security
> SSL certificate and key management > Key stores and certificates.
- Under the Keystore usages pull-down, select Root certificate
keystore.
- Click the DmgrDefaultRootStore in
the keystore usages list.
- Under Additional Properties, select Personal certificates.
- Under the Create pull-down, select Self-signed Certificate.
- Enter a certificate and alias name.
This can
be any name you choose as long as the alias does not already exist.
It is just a label to identify the certificate in the keystore.
- In the Common name field, enter the fully qualified domain
name of the computer where the WebSphere Application Server is installed.
This is typically the hostname the node is running on.
- Optional: Fill in any of the other Subject
DN related fields.
If you want the subject DN to look like
the default subjectDN on WebSphere Application
Server, then enter:
- IBM in the Organization field.
- <cell name>,ou=<node name>
in the Organization unit field.
- Under the Country or region pull-down, select US.
- You can use the defaults for Root certificate used to sign
the certificate, Key Size, and Validity Period or supply your own
values.
- Click Apply > Save.
Note: You can
also create a self-signed certificate using the createSelfSignedCertificate
command. Read PersonalCertificateCommands command group for the AdminTask
object for more information.
You must now replace the
old root certificate with the one you just created. The replace certificate
option not only replaces the old default certificate with a new one
but also replaces any occurrences of the signer of the old certificate
with the signer of the new certificate. The configuration is also
checked for references to the alias name of the old certificate and
replaces it with the alias name of the new certificate. To replace
the old certificate with the new one, complete the remaining steps.
-
Replace the old root certificate with the one you just created. In the Personal
certificates page, select the check box for the older root certificate.
- Click Replace.
- From the Replace with list, choose the alias of the certificate
you created.
- Select Delete old certificate after replacement.
Important: Be sure that the Delete old signer check
box is not selected.
- Click Apply > Save
- Create a chained personal certificate in the default cell
keystore: CellDefaultKeystore. In the Key stores and certificates page,
Select the CellDefaultKeyStore of the node
you want to change.
- Under Additional Properties, select Personal certificates.
- Select the default certificate of the node, usually called
default
.
- Click Create > Chained certificate.
- In the Alias field, enter a new personal certificate alias.
- In the Root certificate used to sign the certificate pull-down
list, select the alias
root
.
- In the Common name field, enter the fully qualified domain
name of the computer where the WebSphere Application Server is installed.
- Click Apply > Save.
- Replace the personal certificate in the default cell keystore:
CellDefaulltKeystore. In the Personal certificates page, select
the default check box.
- Click Replace.
- Select the certificate alias name for the new certificate
you just created from the Replace with pull-down.
- Select Delete old certificate after replacement.
Important: Be sure that the Delete old signer check
box is not selected.
- Click Apply > Save
What to do next
You can also replace default certificates in a node. Read
Creating a new SSL certificate to replace an existing one in a node
for more information