WebSphere Self-signed certificates

WebSphere v6.1 automatically replaces expiring self-signed certificates by default. If dates are put forward on a server for testing purposes the certificates will be regenerated and expiring certificates and signers will be deleted. This can be turned off by going to: Sercurity > SSL certificate and key management > Manage certificate expiration and un-ticking the appropriate options.

If the certificates become invalid you may receive one of the following exceptions:

CWPKI0311E: The certificate with subject {0} has a start date {1} 

which is valid after the current date/time.  This will can happen 

if the client's clock is set earlier than the server's clock. 

Please verify the clocks are in sync between this client and server 

and retry the request.

or

Exception stack trace: javax.naming.NamingException: Error during 

resolve [Root exception is org.omg.CORBA.COMM_FAILURE: 

CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: 

javax.net.ssl.SSLHandshakeException - The client and server could 

not negotiate the desired level of security.  Reason: com.ibm.jsse2

.util.h: No trusted certificate found  vmcid: 0x49421000  minor code: 70 

completed: No]

In order to increase the lifetime of the certificates and resolve the issue the following steps were taken:

1. locate the key.p12 and trust.p12 files under the dmgr profile ie:

   <profile_root>\config\cells\<cellname>\key.p12

2. Open the key.p12 file with the IKEYMAN tool (\bin\ikeyman.bat). You must select PKCS12 from the key database type drop down in order to open the file.
3. The defualt password for websphere application server certificate stores is: WebAS^?
4. Select Personal Certificates from the key database content area drop down
5. Delete the existing default certificate
6. Create a new self signed certificate with the following details:

   Key Label: default
      Version X509 V3
      Key Size: 1024
      Common Name: <fullyQualifiedHostname>
      Organization: IBM
      Country or region:US
      ValidityPeriod: 3650 (We selected 10 years for the length of the certificate)

7. Extract the certificate you just created with the following settings:

   Data Type: Base64-encoded ASCII data
      Certificate file name: newDefault.arm
      Location: D:\temp\

8. Open the \config\cells\\trust.p12 file
9. Again the password is WebAS^?
10. In the Key Database Content area select signer certificates from the large drop down.
11. Delete any existing default or default_x certificates
12. Click Add and browse to the extracted certificate from the key.p12 file, D:\temp\newDefault.arm
13. Enter a label of default
14. close the IBM Key Management tool
15. Copy the Key.p12 and trust.p12 file to the following locations:

    Deployment Manager:
       <profilehome_dmgr>\config\cells\<cellname>\nodes\<nodename>

    All nodes:
    

    <profilehome_nodex>\config\cells\<cellname>
       <profilehome_dmgr>\config\cells\<cellname>\nodes\<nodename>

16. Restart the DMGR all nodeagents and servers