An external certificate authority (CA) certificate can be used
as the server default personal certificate. The CA certificate can be created
using a CA client.
Before you begin
What you need to have before you perform this task is as follows:
- A certificate authority (CA) to make the certificate request to.
- A module that implements the com.ibm.wsspi.ssl.WSPKIClient interface.
This module is needed to connect to the CA server and request a certificate.
You use the administrative console to view or modify a CA client.
Procedure
- Click Security > SSL certificate and key management.
- Under Related Items, click Certificate Authority (CA) client
configurations. A panel displaying the existing CA clients appears.
- Click the New button.
- Enter the CA client information as required.
- Name of the CA client.
- The management scope (selected from the drop-down list.
- Implementation class.
- CA server host name.
- User name.
- Password.
- Confirm of password.
- Number of times to poll.
- Polling interval (in minutes) when requesting certificates.
- Custom properties.
- Click Apply then Save.
- Navigate to the Server default key store personal certificate.
Security > SSL configuration and certificate management >
Key stores and certificates > <server_default_keystore> . Under Additional
properties, click Personal certificates
- Click the Create button and select CA-signed certificate
- Fill in the following information to the CA certificate section.
- Click Apply then Save.
- Navigate to the Server Default Key store’s personal certificates
Security > SSL configuration and certificate management > Key stores
and certificates > <server_default_keystore> . Under Additional properties,
click Personal certificates
- Select the server default personal certificate and click the Replace button.
- Select the CA certificate alias from the list of aliases.
- Click Apply then Save.
Results
The CA certificate alias replaces the alias of the default certificate
in places where it is referenced in the configuration. All signer certificates
from the default certificate are replaced with the signer certificate from
the CA certificate.