How to view the private keys and certificates in a keystore in WebSphere

Home > Search > How-to
  by

A keystore contains your own private keys and certificates. In other words, these are the keys and certificates that you own, which will be used to encrypt the traffic to your WebSphere admin console and the apps running on WebSphere. A truststore contains public certificates. In other words, this is a store of certificates that you trust, and these almost always should be certificates from a trusted certificate authority (CA).

  1. In the left panel of the WebSphere web console, expand Security and select SSL certificate and key management.
  2. Select SSL configurations.
  3. Select key stores and certificates.
  4. Select a keystore.
  5. Select Personal certificates.

 

Note - private keys are found in the Personal certificates area of the WebSphere admin console, and public certificates are found in the Signer area of the WebSphere admin console. When working with IBM / WebSphere, keep in mind that instead of calling a private key a private key, it may be called a personal certificate, and a public certificate may be called a signer. Fun.

In this example, there are two entries. The first is the default certificate, and the second is the certificate chain. Probably the most important information displayed is the expiration date of the keys and certificates in the keystore.

 

The keytool command can be used to view the keys and certificates in the keystore. When using the keytool command, the password for the default trust.p12 and key.p12 files created when WebSphere is installed is WebAS. If WebAS is not working, check the password for the keystore or truststore in the was_home/profiles/your_profile/config/cells/your_cell/security.xml file.

<Keystores xmi
  id="KeyStore_1"
  name="cellDefaultKeyStore"
  password="{xor}CDo9Hgw="

 

When connecting to the WebSphere admin console, HTTPS can be used to encrypt the connection. The web browser will compalin that the site is not secure. This is the expected behavior when using the certificate in the default keystore that is created when WebSphere is installed, because the certificate in the default keystore is not trusted by a certificate authority (CA).

 

After letting the web browser know that you want to connect to the WebSphere admin console, the browser will get the certificate from the default keystore. In this example, a certificate with a SHA1 fingerprint ending in 4D is obtained from the default keystore.

 

Likewise, the SHA1 fingerprint of the root certificate in the default keystore ends in 4D, which gives certaintly that the encryption was done via the public/private keypair in the default keystore.

 

Likewise, if you have apps that are using the default keystore, the browser will complain that the site is not secure. This is perfectly OK in your development environment, but should never be used in a production environment. You can purchase a certificate from a trusted certificate authority (CA), such as www.verisign.com, and then the browser will no longer complain that the site is not secure.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments