I have a need to switch my internal WAS cell-default certificates ( root, default etc. ) from one Signature Algorithm ( SHA1 ) to another ( SHA256 )
We have an app ^H^H^H tool for that.
Here's my journey: -
Start WSAdmin
/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
Convert Certificates to SHA256withRSA
AdminTask.convertCertForSecurityStandard('[-fipsLevel SP800-131 -signatureAlgorithm SHA256withRSA -keySize 2048 ]')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Quit
quit
PS Next time one starts WSAdmin, updated certificates are retrieved back to "local" trust store
/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
…
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/etc/trust.p12.
Here is the signer information (verify the digest value matches what is displayed at the server):
Subject DN: CN=bpm857.uk.ibm.com, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 23501208165426
Expires: Thu Apr 20 05:51:34 BST 2017
SHA-1 Digest: AA:C8:35:CC:B3:46:2E:CE:E5:05:01:A7:5B:55:3A:DF:3C:06:44:A0
MD5 Digest: 76:CA:9D:33:0B:41:EA:03:F9:7E:A6:C6:02:65:D7:4D
Subject DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 23500614165097
Expires: Thu Apr 17 05:51:33 BST 2031
SHA-1 Digest: AA:C8:35:CC:B3:46:2E:CE:E5:05:01:A7:5B:55:3A:DF:3C:06:44:A0
MD5 Digest: 76:CA:9D:33:0B:41:EA:03:F9:7E:A6:C6:02:65:D7:4D
Add signer to the trust store now? (y/n) y
…
Validate DM Profile Personal Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12:
default
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12 -pw WebAS -label default
...
Label: default
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Validate DM Profile Root Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12:
root
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12 -pw WebAS -label root
...
Label: root
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Manually synchronise Node - this may be optional but felt "belt n' braces"
/opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/bin/syncNode.sh `hostname` 10003
...
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/etc/trust.p12.
Here is the signer information (verify the digest value matches what is displayed at the server):
Subject DN: CN=bpm857.uk.ibm.com, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 35849612167890
Expires: Sat Apr 22 07:14:50 BST 2017
SHA-1 Digest: 94:26:35:50:26:01:43:84:9B:68:63:C8:48:1B:E6:CF:87:E6:85:18
MD5 Digest: 7A:E0:99:2B:CB:65:E7:09:63:00:E9:63:00:9B:84:E8
Subject DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 35848947653836
Expires: Sat Apr 19 07:14:49 BST 2031
SHA-1 Digest: 94:26:35:50:26:01:43:84:9B:68:63:C8:48:1B:E6:CF:87:E6:85:18
MD5 Digest: 7A:E0:99:2B:CB:65:E7:09:63:00:E9:63:00:9B:84:E8
Add signer to the trust store now? (y/n) y
...
Validate Node Profile Personal Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12:
default
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12 -pw WebAS -label default
...
Label: default
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Validate Node Profile Root Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12:
root
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12 -pw WebAS -label root
...
Label: root
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Additional Validation using OpenSSL
echo "" | openssl s_client -connect bpm857.uk.ibm.com:10001 -prexit 2>/dev/null | openssl x509 -noout -text | grep Signature
...
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
...
So that's all good then.