An external certificate authority (CA) certificate can
be used as the server default personal certificate. The CA certificate
can be created using a CA client.
Before you begin
What you need to have before you perform this task is as follows:
- A certificate authority (CA) to make the certificate request
to.
- A module that implements the com.ibm.wsspi.ssl.WSPKIClient interface.
This module is needed to connect to the CA server and request a certificate.
You use the administrative console to view or modify a CA
client.
Procedure
- Click Security > SSL certificate and key management.
- Under Related Items, click Certificate Authority (CA)
client configurations. A panel displaying the existing CA clients
appears.
- Click the New button.
- Enter the CA client information as required.
- Name of the CA client.
- The management scope (selected from the drop-down list.
- Implementation class.
- CA server host name.
- User name.
- Password.
- Confirm of password.
- Number of times to poll.
- Polling interval (in minutes) when requesting certificates.
- Custom properties.
- Click Apply then Save.
- Navigate to the Server default key store personal certificate.
Security > SSL configuration and certificate management >
Key stores and certificates > <server_default_keystore> .
Under Additional properties, click Personal certificates
- Click the Create button and select CA-signed
certificate
- Fill in the following information to the CA certificate
section.
- Click Apply then Save.
- Navigate to the Server Default Key store's personal certificates
Security > SSL configuration and certificate management >
Key stores and certificates > <server_default_keystore> .
Under Additional properties, click Personal certificates
- Select the server default personal certificate and click
the Replace button.
- Select the CA certificate alias from the list of aliases.
- Click Apply then Save.
Results
The CA certificate alias replaces the alias of the default
certificate in places where it is referenced in the configuration.
All signer certificates from the default certificate are replaced
with the signer certificate from the CA certificate.