Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure communications > Create an SSL configuration

Use a CA client to create a personal certificate to be used as the default personal certificate

An external certificate authority (CA) certificate can be used as the server default personal certificate. The CA certificate can be created using a CA client. What have before you perform this task is as follows:

• A certificate authority (CA) to make the certificate request to.
• A module that implements the com.ibm.wsspi.ssl.WSPKIClient interface. This module is needed to connect to the CA server and request a certificate.

You use the admin console to view or modify a CA client.

Procedure

1. Click Security > SSL certificate and key management.

2. Under Related Items, click Certificate Authority (CA) client configurations. A panel displaying the existing CA clients appears.

3. Click the New button.

4. Enter the CA client information as required.
   • Name of the CA client.
   • The management scope (selected from the drop-down list.
   • Implementation class.
   • CA server host name.

   • User name.
   • Password.
   • Confirm of password.
   • Number of times to poll.
   • Polling interval (in minutes) when requesting certificates.
   • Custom properties.

5. Click Apply then Save.
6. Navigate to the Server default key store personal certificate. Security > SSL configuration and certificate management > Key stores and certificates > <server_default_keystore> . Under Additional properties, click Personal certificates

7. Click the Create button and select CA-signed certificate
8. Fill in the following information to the CA certificate section.
   • Revocation password
   • Confirm password.

   • Select the CA client that applies to this CA certificate.

     We can create a new CA client to apply to this CA authority by clicking the New button.

   • Fill in the following information to the Request Specification section:

     • Select the radio button for Predefined request alias if we have a predefined alias.

     • If you do not have a predefined alias, fill in the following fields:
       • Type an alias name in the Alias field. The alias identifies the certificate request in the keystore.
       • Type a common name (CN) value. This value is the CN value in the certificate distinguished name (DN).
       • Optional: Type an organization value. This value is the O value in the certificate DN.
       • Optional: Select a key size value. The valid key size values are 512, 1024, 2048, 4096, and 8192. The default key size value is 2048 bits.
       • Locality
       • Optional: Type the State or Province value. This value is the ST value in the certificate DN.
       • Optional: Type a zip code value. The zip code value is the POSTALCODE value in the certificate DN.
       • Optional: Type a country or region value from the list. This country value is the C= value in the certificate request DN.
       • Validity period

9. Click Apply then Save.
10. Navigate to the Server Default Key store's personal certificates Security > SSL configuration and certificate management > Key stores and certificates > <server_default_keystore> . Under Additional properties, click Personal certificates

11. Select the server default personal certificate and click the Replace button.

12. Select the CA certificate alias from the list of aliases.

13. Click Apply then Save.

Results

The CA certificate alias replaces the alias of the default certificate in places where it is referenced in the configuration. All signer certificates from the default certificate are replaced with the signer certificate from the CA certificate.
Create a CA certificate in SSL
Create a CA client in SSL
Create an SSL configuration

+

Search Tips   |   Advanced Search