Signer certificates are added to a keystore on the client
side of an SSL communication to establish trust with the server. There
is common practice for keystores to have trust established when they
are created. The DmgrDefaultSignersStore on a deployment manager
and the NodeDefaultSignersStore on a stand alone application
server are created to hold signer certificates used to establish trust
by default in newly create keystores.
Before you begin
The default signers key store is created during profile creation
and contains the signer certificate of the server default root certificate.
Additional signer certificates can be added to the default signers
key store at any time. Anytime a keystore is created using the admin
console or by using the
createKeyStore AdminTask object in
scripting, all signer certificates from the default signer store are
added to the newly created keystore.
Alternative Method:
- To add a signer certificate to a default signer keystore by using
the wsadmin tool, use the addSignerCertificate command of the
AdminTask object.
- To create a new keystore by using the wsadmin tool, use the createKeyStore command
of the AdminTask object.
- To extract the signer from a personal certificate using the wsadmin
tool, use the extractCertificate of the AdminTask object.
- To exchange a signer certificate using the wsadmin tool, use the KeyStoreCommands command
group for the AdminTask object.
For more information, see the SignerCertificateCommands command
group for the AdminTask object article and the KeyStoreCommands command
group for the AdminTask object article.
Procedure
- If the certificate is in a certificate file, it can be
added to the default signer keystore using the administrative console.
- Click Security > SSL certificate and key management.
- Under Related Items, click Key stores and certificates.
- c. Select Default signers keystore under KeyStore
Usages. A panel displaying a list of keystores appears.
- Click on DmgrDefaultSignersStore.
- Under Additional Properties, click Signer certificates.
- Click Add .
- Enter an alias in the alias box, a path to the certificate
file in the filename box, and an asterisk (•). Select the format of
the certificate file from the pull down list in the “Data type” box.
- Click Apply then Save.
Note: You can also perform this addition using the AdminTask, addSignerCertificate.
- If the signer certificate form of a personal certificate
needs to be added to default signers keystore, you can extract the
signer from the personal certificate to a certificate file or the
signer can be extracted directly to the default signers keystore.
To extract a signer certificate from a personal certificate to a
certificate file,
- Click Security > SSL certificate and key management.
- Under Related Items, click Key stores and certificates.
- c. Select All under Keystore Usages. A panel
displaying a list of keystores appears.
- Click on the keystore name
- Under Additional Properties, click Personal certificates.
- Select a personal certificate.
- Click Extract.
- Enter the path to the certificate file in “Certificate
file name” box and select a format type from the pull down list in
“Data type” box
- Click Apply then Save.
- The signer can be added to the default signers keystore
by following step 1.
Note: You can also extract the signer from a personal certificate
using scripting and the AdminTask extractCertificate.
- To extract a signer certificate to the default signers
keystore, an exchange of the signer certificate can be performed from
the administrative console.
- Click Security > SSL certificate and key management
- Under Related Items, click Key stores and certificates.
- c. Select All under Keystore Usages. A panel
displaying a list of keystores appears.
- Click on the default signers keystore and the keystore
that contains the personal certificate whose signer certificate is
needed.
- Click Exchange Signers.
- Select the personal certificate whose signer is needed.
- Click Add.
- Click Apply then Save.
Note: You can also perform the exchange using the AdminTask, exchangeSigner.
Note: A DataPower certificate can
be removed from the default signers keystore if it is present. If
you are not using the DataPower appliance manager you should remove
the DataPower certificate from the default trust store to avoid unintentional
trust relationships. However, if you start to use DataPower appliance
manager at a later date you must add the DataPower certificate back
to the default trust store.
Results
When these steps are completed, the signer from the certificate
file is stored in the default signers keystore. You can see the signer
in the keystore files list of signer certificates.
What to do next
The new keystore will contain the default signers that were
added to the default signers keystore.