Convert/Replace existing websphere default chained Certificates from 1024 to 2048 keysize and also signatureAlgorithm
Published:
Browse All Articles > Convert/Replace existing websphere default chained Certificates from 1024 to 2048 keysize and also signatureAlgorithm
Convert websphere application server default chained Certificates from 1024 to 2048 keysize or higher size and also you can change signatureAlgorithm .
Please make sure Websphere Application Server fixpack 7.0.0.23 or Above. The following steps applicable only on Websphere Application server fixpack 7.0.0.23 or Above
During installation of Websphere Application Server v7.0 it comes default keystore and root CA has default 1024 bit key size. With this approach, you upgrade the root CA key size to a 2048 bit root certificate and it will increase level of security for vulnerabilities
Please see the following steps.
NOTE: This document assumes that you are using a default SSL configuration and Default SSL keystores.
1) Run backupConfig on the Deployment Manager.
backupConfig command
You can use backupconfig -nostop
-nostop
Tells the backupConfig command not to stop the servers before backing up the configuration
C:\WebSpherev7.0.0.23\profiles\Dmgr0
1\bin>wsad
min
The following command update key size and algorithm
$AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -signatureAlgorithm SHA256withRSA -keySize 2048 }
The following command update key size
$AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -keySize 2048 }
The following command save the above configuration changes.
$AdminConfig save
The above Command will update and replace all default certificate that comes in websphere application server with a new 2048 bit key size for example files key.p12 for cell and node, trust.p12, root-key.p12..etc
Example Path:
\WebSphere_Install\profiles\ND-DMGR-
Profile\co
nfig\cells
\cellName\
key.p12
\WebSphere_Install\profiles\ND-DMGR-
Profile\co
nfig\cells
\cellName\
trust.p12
\WebSphere_Install\profiles\ND-DMGR-
Profile\co
nfig\cells
\cellName\
nodes\Cell
Manaager(d
mgr)\root-
key.p12
Go to Adminconsole and check the default certificate
SSL certificate and keymanagement > Keystores and certificates > celldefaultkeystore/Nodedefaultkeyst
ore > personal certificate > click default
You will see key size changed from 1024 to 2048 and also algorithm from SHA1withRSA to SHA256withRSA
Make sure Sync the nodes with dmgr. From the Adminconsole expand System Administration > click on nodes > Fully synchronized
Restart the complete websphere Application server. such as dmgr, nodeagent and all application server.
You need to manually copy the trust store to each of the /etc directories. Which is required for Client operations such as stopdmgr, wsadmin syncnode, serverstatus commands...etc
Backup the trust.p12 in profile_root\Dmgr\etc
Copy the profile_root\Dmgr\config\cells\cell-
name\trust
.p12 ( example path : \WebSphere_Install\profile
s\ND-DMGR-
Profile\co
nfig\cells
\cellName\
trust.p12)
If you have SSL between Plugin and websphere application server then you have to propagated the plugin-keykdb from webspere adminconsole or you have to add new websphere root certificate under signer certificate of plugin-key.kdb because the above change will update the websphere root CA certificate with new serial number.
Please make sure Websphere Application Server fixpack 7.0.0.23 or Above. The following steps applicable only on Websphere Application server fixpack 7.0.0.23 or Above
During installation of Websphere Application Server v7.0 it comes default keystore and root CA has default 1024 bit key size. With this approach, you upgrade the root CA key size to a 2048 bit root certificate and it will increase level of security for vulnerabilities
Please see the following steps.
NOTE: This document assumes that you are using a default SSL configuration and Default SSL keystores.
1) Run backupConfig on the Deployment Manager.
backupConfig command
You can use backupconfig -nostop
-nostop
Tells the backupConfig command not to stop the servers before backing up the configuration
C:\WebSpherev7.0.0.23\prof
The following command update key size and algorithm
$AdminTask convertCertForSecurityStan
The following command update key size
$AdminTask convertCertForSecurityStan
The following command save the above configuration changes.
$AdminConfig save
The above Command will update and replace all default certificate that comes in websphere application server with a new 2048 bit key size for example files key.p12 for cell and node, trust.p12, root-key.p12..etc
Example Path:
\WebSphere_Install\profile
\WebSphere_Install\profile
\WebSphere_Install\profile
Go to Adminconsole and check the default certificate
SSL certificate and keymanagement > Keystores and certificates > celldefaultkeystore/Nodede
You will see key size changed from 1024 to 2048 and also algorithm from SHA1withRSA to SHA256withRSA
Make sure Sync the nodes with dmgr. From the Adminconsole expand System Administration > click on nodes > Fully synchronized
Restart the complete websphere Application server. such as dmgr, nodeagent and all application server.
You need to manually copy the trust store to each of the /etc directories. Which is required for Client operations such as stopdmgr, wsadmin syncnode, serverstatus commands...etc
Backup the trust.p12 in profile_root\Dmgr\etc
Copy the profile_root\Dmgr\config\c
If you have SSL between Plugin and websphere application server then you have to propagated the plugin-keykdb from webspere adminconsole or you have to add new websphere root certificate under signer certificate of plugin-key.kdb because the above change will update the websphere root CA certificate with new serial number.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (3)
Author
Commented:Commented:
Author
Commented: