WebSphere Application Server & Liberty

 View Only
  • 1.  Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    Posted Wed February 23, 2022 02:08 PM
    I was wondering if there's a support link somewhere on how to import both the personal and signer certificate with a pfx file.  I haven't seen too much on the web, other than when encountering issues with the 'unrestricted policy file'.  This is for WebSphere version 7.0.0.

    ------------------------------
    Cesar Garcia
    ------------------------------


  • 2.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    Posted Wed February 23, 2022 03:08 PM
    Hi Cesar, Java can treat a .pfx file in the same way it treats a .p12 file -- as a keystore. There are a number of different ways to move things between keystores, but in this case I would recommend the following steps:

    - Configure the .pfx as a keystore in WAS
    - Use the "Import" button from the Personal Certificates panel of an existing keystore (e.g. CellDefaultKeyStore) to import the personal cert from the .pfx keystore
    - Use the "Exchange Signers" button from the Keystores and Certificates panel, with the .pfx keystore and an existing keystore (e.g. CellDefaultTrustStore) selected, to move the signer(s) from the .pfx to the existing keystore
    - Remove the .pfx keystore from the WAS configuration

    Cheers,
    Jackson

    ------------------------------
    Jackson Leonard
    ------------------------------



  • 3.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    Posted Thu February 24, 2022 05:27 PM
    Hello Jackson,

    Do you have steps on how to configure the .pfx as a webstore or is that step 2?  Also, just to be clear, you set this up temporary as a keystore only to extract to the permanent keystores (trust and key) and then you remove it?  My apologies, but very new to WebSphere.

    Cesar

    ------------------------------
    Cesar Garcia
    ------------------------------



  • 4.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    IBM Champion
    Posted Fri February 25, 2022 02:41 AM
    Hello Cesar,

      From admin console in security section you have the option to manage the keystores (where you have CellDefaultKeyStore) at this level create a new keystore you only need to give a name point where the .pfx is and the password to manage the internal private key. Then you can follow the instrucctions of Jackson from the step 2.

      Take a look to the redbook WebSphere Application Server V7.0 security Guide

      http://www.redbooks.ibm.com/abstracts/sg247660.html?Open

      Chapter 5.1.2 KeyStore and TrustStore
       
      Hope this helps.

    Regards

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------



  • 5.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    Posted Tue March 08, 2022 03:14 PM
    Hello,

    I got as far as the 'Exchange Signers' step.  I'm not able to move the entry from the new keystore to the TrustKeyStore.  Could it be that there's no entry and that this the personal certificate only.  When I attempt to click on the 'add' button after selecting the entry from the new key store, nothing occurs.  Any assistance would be appreciated.  Thanks.

    Cesar

    ------------------------------
    Cesar Garcia
    ------------------------------



  • 6.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    IBM Champion
    Posted Wed March 09, 2022 02:47 AM
    Hello Cesar,

      From admin console are you able to see the content of the new registered .pfx keystore? If you have registered .pfx keystore you are able to review its contents, keys, CAs,...you can check if there is a key.

      Tell us if you need more support.


    Regards

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------



  • 7.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    Posted Wed March 09, 2022 04:18 PM
    Hello Gabriel,

    I looked at the contents of the keystore and there didn't seem to be the root and intermediate certificates, but was able to obtain it and just added them to the Signer Certs. I did have one more question.  Are we supposed to add the root and intermediate certificates to both the key and truststore or just the keystore?  Thanks for the response.

    Cesar

    ------------------------------
    Cesar Garcia
    ------------------------------



  • 8.  RE: Import Personal and Signer Certificate from PFX File on WAS v7.0.0

    IBM Champion
    Posted Thu March 10, 2022 02:45 AM
    Hello Cesar,

    Usually CAs and intermediates certificates are stored in Trustore and key in KeyStore, but take in mind that both stores are java pkcs12, so you can name one MyKeyStore another MyTrustore and point both to same store. At application level (or server level) when SSL/TLS comes when interchange of certificates start CAs are looked at the file named as Trustore and keys in Keystore.

    All that you have done using admin console can be do with keytool WAS_HOME/AppServer/JAVA_VERSION/bin

    Some usefull commands:

    https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

    About GUIs to manage tools you can use iKeyman (WAS_HOME/AppServer/bin) or KeyStore Explorer https://keystore-explorer.org

    Hope this helps.

    Regars

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------