It's all about the answers!

Ask a question

How to configure CA- Signed Certificate in WAS for RAM

anoop mc (75010149206) | asked Dec 15 '14, 6:13 a.m.
 Dear team,

We have a requirement for configuring CA- Signed Certificate in WAS for RAM.


having discussed with our internal Identity management team we ran Ikeyman tool from E:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\bin  

In the IBM Key Management Utility, click on Key Database File and then New.
  1. Choose Key database type and select JKS. Give the keystore a name such as your_domain.jks.
  2. Click the Browse button. Go to C:\Program Files\IBM\WebSphere\AppServer\profiles\default\etc or to a different location where you want to store your keystore file.

    1. Click OK. Enter a password and click OK.
    2. Click Create then New Certificate Request to bring up the Create New Key and Certificate Request dialog.
    3. Type a Key LabelCommon NameOrganizationLocalityState, and select a Country. Select 2048 for Key Size. 

  3. We have send ramqa1certreq.arm file to the CA authority and in return they have send me the below set of files

My question is : How to get this imported into WAS and after that our end-users should be able to browse the RAM URL (https) with out accepting the certificate on each browser.

2 answers

permanent link
Kevin Ramer (4.4k6162185) | answered Dec 31 '14, 3:10 p.m.
The path I've always taken with WebSphere is [ you should likely start at #4 below ]

  1. Go to NodeDefaultKeystore under Keystores [ as you've done ]
  2. Click on Personal Certificate Requests / New fill out the form
  3. Send the CSR to the Certificate Authority.  You'll likely get back a Base64 encoded file.  Put that on your websphere machine somewhere
  4. Again on NodeDefaultKeystore / Personal Certificates click Receive from Certificate authority
  5. Provide the path name
  6. This should import your new certificate in the NodeDefaultKeyStore file.  Make sure it shows up there.
  7. Next go to SSL Configurations, Open NodeDefaultSSL settings
  8. Choose your CA signed certificate next to "Default server certificate alias"
  9. Save
This should put your new certificate into effect immediately ( the "Dynamically update the run time ..."  is likely checked  under SSL Certificate and key management section already )

permanent link
anoop mc (75010149206) | answered Jan 30 '15, 3:25 a.m.

Finally I could get this working by getting a CSR certificate signed back from our identity management team.

Also by working with IBM Support engineer Dipak Shah was a great help. 

Here is the link to follow 
 1)     Create a new certificate request

Navigate to the path where the file got created and send it to the Identity Management Team and get it signed back. We have tried using Internal certificate key 

Note: Make sure you point the file name under any drive with .cer extension.

2. Next step is to receive the SSL cert

3. Replace the old one with new one 

Based on the import we did on our QA enviornment it worked fine with us.

Your answer

Register or to post your answer.