Adding the correct SSL Signer certificates to the plug-in keystore

Personal certificates contain a private key and a public key. You can extract the public key, called the signer certificate, to a file, then import the certificate into another keystore. During a Security Socket Layer (SSL) connection, the server sends it's personal certificate to the client. The client must have the correct signer certificate to match it.

Before you begin

The keystore that contains a personal certificate must exist.

About this task

You must complete this procedure for each WebSphere Application Server node. If multiple WebSphere Application Server nodes that use the same exact personal certificate, then you must add only the corresponding signer certificate once to the plug-in keystore.

Procedure

  1. Click Security > SSL certificate and key management > Manage endpoint security configurations.
  2. Click NodeDefaultSSLSettings.
  3. Select Keystores and certificates.
  4. Click NodeDefaultKeyStore.
  5. Click Personal certificates.
  6. You see a chained certificate. The personal certificate is the first one in the chain. The signer certificate is the second one in the chain. Look at the CN in the signer certificate. Also, look at the serial number of the signer certificate.
    Note: This certificate is the exact signer certificate that you must use.
  7. Click to return to the Keystores and certificates page.
  8. Click NodeDefaultTrustStore.
  9. Click Signer certificates.
  10. Find the signed certificate with the match CN and serial number from step 6 and check the box next to it. Click Extract.
  11. Enter a temporary path and file name, such as tmp/nodeRootSigner.arm. Click OK.
  12. Click to return to the Manage endpoint security configurations page.
  13. Find the node that contains the web server definition. You must look inside the node and look inside the servers folder to find the web server. Click the web server name.
  14. Click Keystores and certificates.
  15. Click CMSKeyStore.
    Note: CMSKeyStore Is a link to the plugin-key.kdb file.
  16. Click Signer certificates and then click Add.
  17. Enter an Alias and the path and file name from step 11. Click OK.
  18. Click Save to save the changes.
  19. Repeat steps 12-18 for each WebSphere Application Server node.
    Note: If multiple WebSphere Application Server nodes that use the same personal certificate, then you must add only the corresponding signer certificate once to the plug-in keystore.
  20. Click Servers > Server Types > Web servers.
  21. Click the web server name in the list.
  22. Click Plug-in properties.
  23. Click Copy to Web server key store directory.
  24. Stop and restart the webserver to test and ensure that the connection is able to connect successfully.

Results

The signer portion of the personal certificate is stored in the file that is provided.

What to do next

The signer can now be imported into other keystores.