Occasionally, you
need to replace an existing personal
certificate with a new certificate. This task discusses how to replace
the existing personal certificate in the keystore. It searches all
keystores for a signer certificate extracted from the original personal
certificate, and places the signer of the new personal certificate
in it's place. It also updates all of the certificate alias references
in the security configuration with the new one.
Before you begin
The current certificate
and the certificate replacement must
exist in the same keystore before you can replace a certificate.
Alternative Method: To replace a self-signed
certificate by using the wsadmin tool, use the replaceCertificate command
of the AdminTask object. For more information, see the PersonalCertificateCommands
command group for the AdminTask object article
About this task
Complete
the following steps in the administrative console:
Procedure
- Click Security > SSL certificate and key management >
Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration >
Key stores and certificates > [keystore ].
- Under Additional Properties, click Personal certificates.
- Select the certificate to be replaced. The
alias
list must include the certificate to be replaced and the certificate
to replace it with.
- Click Replace.
- Select a replacement certificate alias from the
list.
- You can delete one of the following types
of certificates:
- Select Delete old certificate to
delete the existing
or expired certificate.
- Select Delete old signers to
delete the existing signer
certificates.
- Click Apply.
Results
Your results depend on what you selected:
- If you selected Delete old certificate, the new certificate
alias replaces all of the references to the certificate alias in the
configuration.
- If you selected Delete old signers,
the new signer certificate
replaces all of the occurrences of the old signer certificates.
- If
the new certificate alias replaces the existing alias, the WebSphere® Application Server runtime checks
to make sure that:
- All of the SSL Configurations objects reference
the certificate
- The Dynamic SSL Configuration Selections objects
and the SSL Configuration
group objects reference the certificate.
- If you
selected Delete old signers, the existing signer
certificates are replaced.
- If you selected Delete old
certificate, the existing certificate
is deleted.