To ensure Secure Sockets Layer (SSL) communication, servers require a personal certificate that is signed by a certificate authority (CA). You must first create a personal certificate request to obtain a certificate that is signed by a CA.
Before you begin
The keystore that contains a personal certificate request must already exist. In WebSphere
® Application Server, the keystore file p12 exists.
About this task
Complete the following tasks in the WebSphere
Integrated Solutions Console.
Expected state: the Deployment Manager and node agents are started. The servers are stopped.
- Click Security -> SSL certificate and key management -> Key stores and certificates.
- Click the keystore that you created in the previous step.
- Click Personal certificate requests, then click New.
- In the File for certificate request field, specify the fully qualified file name from which the certificate request is exported. This portion of the certificate request can be given to the certificate authority to generate the real certificate. For example: c:\servercertreq.arm (for a Windows® machine).
- Type an alias name in the Key label field. The alias is the name you give to identify the certificate request in the keystore.
- Type a common name (CN) value in the Common Name field. The common name must be the Fully qualified domain host name of your proxy server node machine. The CN of the certificate must match the domain name of your community. For example, if your Sametime® community is us.acme.com, then the CN of the SSL certificate that you create for your community must be us.acme.com.
- Type an organization name in the Organization field. This value is the organization value in the certificate distinguished name.
- In the Organization unit field, type the organization unit portion of the distinguished name.
- In the Locality field, type the locality portion of the distinguished name.
- In the State or Province field, type the state portion of the distinguished name.
- In the Zip Code field, type the zip code portion of the distinguished name.
- In the Country or region drop down list, select the two-letter country code portion of the distinguished name.
- Click Apply and Save. The certificate request is created in the specified file location in the keystore. The request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore. Note: Key store tools (such as iKeyman and keyTool) cannot receive signed certificates that are generated by certificate requests from WebSphere Application Server. Similarly, WebSphere Application Server cannot accept certificates that are generated by certificate requests from other keystore utilities.
- Synchronize your changes to all nodes in the cluster. Click System Administration -> Nodes
- Select all nodes in the cluster, then click Full Resynchronize.
- Stop the Sametime Gateway server.
- Make a backup copy of your keystore file. Make this backup before receiving the CA-signed certificate into the keystore. The default password for the keystore is WebAS. The Integrated Solutions Console has the path information for the keystore's location.
The path to the CellDefaultKeyStore
is listed in the Integrated Solutions Console as:
- Now start the Sametime Gateway server.
What to do next
After you receive the certificate back from the Certificate authority, you are ready to proceed to the next step.
Parent topic: Setting up SSL on a cluster
Previous topic: Creating a new keystore
Next topic: Importing intermediate CA certificates into the keystore