IBM Support

How do I replace the default SSL Certificate on a WebSphere Application Server?

Technote (FAQ)


How do I replace the default SSL certificate in a WebSphere node keystore?


There are times when a new SSL certificate is required to be created, and the original certificate replaced in the WebSphere keystore - these steps show the procedure.

This document will show how to create and replace the default certificate for an application server with one that is 2048bits to comply with the new SSL requirements. If you are using a third-party certificate, you can start at step 7 to replace the certificate in the local keystore after following the directions provided by the third-party on getting the certificate imported into the keystore.

These steps apply to both Sametime 8.5.x on WebSphere 7.0.x and Sametime 9.0 on WebSphere 8.5.5.x.



1. Log in to the ISC and access "Security -> SSL Certificate and Key Management," then click the link for "Key Stores and Certificates."

2. In the list - Click the link "NodeDefaultKeyStore" for the certificate you want to update. In this example, we are going to update the Personal Certificate for the STMeetings Node -

3. Click the link for "Personal Certificates."

4. In the menu, select "New" and then "Chained Certificate."

5. Fill out the resulting form - be sure to select 'root' (this will sign the new personal certificate with the default WAS root CA) and 2048. The 'alias' should be unique in the keystore and easily identifiable. In this example, I am creating a 'wildcard' certificate - usually you would use the hostname that the end users would access the server in this step. When Complete, click "OK."

6. 'Save to master configuration'

7. Now, we will replace the original certificate with the new one using the 'replace' function. To do this, place a check in the box next to the certificate you want to replace and click the button labeled "Replace."

8. On the following form, in the dropdown, select the certificate you want to use to replace and place a check in the box next to 'Delete old certificate after replacement' (optional, but suggested) and click "OK." This step takes care of all of the internal mappings for the new certificate.

9. 'Save to master configuration'

10. Restart the node and validate with a browser that the new certificate is in place.

Document information

More support for: IBM Sametime

Software version: 8.5, 8.5.1,, 8.5.2,, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows

Reference #: 1654278

Modified date: 10 December 2013