Create certificate authority (CA) <a href="usec_sslperscerts.html">personal certificates</a> using wsadmin.sh

Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin

Create certificate authority (CA) personal certificates using wsadmin.sh

Use this topic to create CA certificates from a certificate authority (CA). Configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to your third-party CA server. Use the following information to create a CA personal certificate using a CA client.

Procedure
Optional: Query the configuration for keystores to determine where system stores the new CA certificate.
Use the listKeyStores command to list all keystores for a specific management scope. Specify the -scopeName parameter to display keystores within a specific management scope, or set the -all parameter to true to display all keystores regardless of scope. The following example lists all keystores in the configuration:
AdminTask.listKeystores('-all true')
The command returns the following sample output:
CellDefaultKeyStore(cells/myCell|security.xml#KeyStore_1)
CellDefaultTrustStore(cells/myCell|security.xml#KeyStore_2)
CellLTPAKeys(cells/myCell|security.xml#KeyStore_3)
NodeDefaultKeyStore(cells/myCell|security.xml#KeyStore_1598745926544)
NodeDefaultTrustStore(cells/myCell|security.xml#KeyStore_1476529854789)
Use the getKeyStoreInfo command and specify the -keyStoreName parameter to return additional information about the keystore of interest...
AdminTask.getKeyStoreInfo('[-keyStoreName CellDefaultKeyStore]')
The command returns the following configuration information for the keystore of interest:
[ [location ${CONFIG_ROOT}/cells/myCell/key.p12] [password *****] [_Webspher
e_Config_Data_Id cells/myCell|security.xml#KeyStore_1] [_Websphere_Config_Da
ta_Version ] [useForAcceleration false] [slot 0] [type PKCS12] [additionalKeySto
reAttrs ] [fileBased true] [_Websphere_Config_Data_Type KeyStore] [customProvide
rClass ] [hostList ] [createStashFileForCMS false] [description [Default key sto
re for JenbCell01]] [readOnly false] [initializeAtStartup false] [managementScop
e (cells/JenbCell01|security.xml#ManagementScope_1)] [usage SSLKeys] [provider I
BMJCE] [name CellDefaultKeyStore] ]
Optional: Determine which CA client to use.
Use the listCAClients command to list the CA clients that exist in the configuration. Specify the -scopeName parameter to display CA clients within a specific management scope, or set the -all parameter to true to display all CA clients regardless of scope. The following example lists all CA clients in the configuration:
AdminTask.listCAClients('-all true')
Create a CA personal certificate.
Use the requestCACertificate command to create a new CA personal certificate in the environment. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.

Required parameters. Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority:

Parameter Description Data type
-certificateAlias Alias of the certificate. You can specify a predefined certificate request. String
-keyStoreName Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String
-caClientName Name of the CA client that was used to create the CA certificate. String
-revocationPassword Password to use to revoke the certificate at a later date. String

Additional parameters. We can also use the following parameters to specify additional certificate request options. If you do not specify an optional parameter, the command uses the default value.

Parameter Description Data type
-keyStoreScope Management scope of the keystore. For a dmgr profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
-caClientScope Management scope of the CA client. For a dmgr profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
-certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. String
-certificateSize Size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default value is 2048. String
-certificateOrganization Organization portion of the distinguished name. String
-certificateOrganizationalUnit Organizational unit portion of the distinguished name. String
-certificateLocality Locality portion of the distinguished name. String
-certificateState State portion of the distinguished name. String
-certificateZip Zip code portion of the distinguished name. String
-certificateCountry Country portion of the distinguished name. String

Use the following example command syntax to request a certificate from a certificate authority:
AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore
-CAClientName myCAClient -revocationPassword revokeCApw')
The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request...
AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore')
Save the configuration changes.
Save the configuration changes:
AdminConfig.save()
Results
The default personal certificate for the server is a certificate that is created by an external CA.
Configure certificate authority client objects using wsadmin
Set a certificate authority certificate as the default certificate using wsadmin

Related

CAClientCommands command group
PersonalCertificateCommands command group

+
Search Tips | Advanced Search

Parameter	Description	Data type
-certificateAlias	Alias of the certificate. You can specify a predefined certificate request.	String
-keyStoreName	Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores.	String
-caClientName	Name of the CA client that was used to create the CA certificate.	String
-revocationPassword	Password to use to revoke the certificate at a later date.	String

Parameter	Description	Data type
-keyStoreScope	Management scope of the keystore. For a dmgr profile, the default value is the cell scope. For an application server profile, the default value is the node scope.	String
-caClientScope	Management scope of the CA client. For a dmgr profile, the default value is the cell scope. For an application server profile, the default value is the node scope.	String
-certificateCommonName	Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides.	String
-certificateSize	Size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default value is 2048.	String
-certificateOrganization	Organization portion of the distinguished name.	String
-certificateOrganizationalUnit	Organizational unit portion of the distinguished name.	String
-certificateLocality	Locality portion of the distinguished name.	String
-certificateState	State portion of the distinguished name.	String
-certificateZip	Zip code portion of the distinguished name.	String
-certificateCountry	Country portion of the distinguished name.	String