Generate new certificates and a Certificate Authority (CA)

About this task

If you want to secure the communication based on the Secure Sockets Layer (SSL) protocol, but you do not have a corporate Certificate Authority (CA), you can use Certman to create one and generate the required certificates.

Procedure

  1. Browse to the following path: <image_location>/TWS/<interp_name>/Tivoli_LWA_<interp_name>\TWS\bin
  2. Generate the CA and certificates by running the following command: 
    certman generate -keypasswd <key pwd> -outpath <output path> [-days <valid days>] [-subj <full subject>] [-keysize <key size in bits>] [-cakeypasswd <ca key pwd>] [-cadays <ca valid days>] [-casubj <ca full subject>] [-wauser <user>] [-wagroup <group>]

    Where:

    keypasswd
    Specify the password to encrypt the private key. The minimum length of the password is 6 characters.
    Note: If the password contains wildcards, enclose the password in single quotes. For example:
    -keypasswd 'passw!rd'
    outpath
    Specify the folder where to generate the certificates.
    days
    Optionally, specify the validity period in days after which the tls certificate expires.
    subj
    Optionally, specify additional information about the owner of the tls certificate using OpenSSL syntax:
    subj: "/C=<country>/ST=<state>/L=<locality>/O=<organization>/CN=<common name>"
    For example:
    subj: "/C=IT/ST=none/L=Rome/O=COLA/CN=cola.com"
    Where:
    C
    Specify the nation or sovereign territory.
    ST
    Specify the regional subdivision within the country.
    L
    Specify the city or town. The specific urban center.
    O
    Specify the name of the organization that owns the certificate.
    CN
    Specify the domain name that the certificate is intended to secure.
    keysize
    Specify the dimension of the private key in bits.
    cakeypasswd
    Specify the password for encrypting the private key of the CA. The minimum length of the password is 6 characters.
    Note: If the password contains wildcards, enclose the password in single quotes. For example:
    -keypasswd 'passw!rd'
    cadays
    Optionally, specify the validity period in days after which the CA certificate expires.
    casubj
    Optionally, specify additional information about the owner of the CA using the OpenSSL syntax:
    casubj: "/C=<country>/ST=<state>/L=<locality>/O=<organization>/CN=<common name>"
    For example:
    casubj: "/C=IT/ST=none/L=Rome/O=COLA/CN=cola.com"
    Where:
    C
    Specify the nation or sovereign territory.
    ST
    Specify the regional subdivision within the country.
    L
    Specify the city or town. The specific urban center.
    O
    Specify the name of the organization that owns the certificate.
    CN
    Specify the domain name that the certificate is intended to secure.
    wauser
    Optionally, specify the TWS_user that must be set as owner of the output files.
    wagroup
    Optionally, specify the TWS_user that must be set as group of the output files.
    Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.

Results

The following output files are the CA and certificates you can find in the specified output folder:
  • ca.crt
    The file that contains the Root ca.
  • ca.key
    The private key of the CA.
  • tls.crt
    The certificate signed and validated by the CA.
  • tls.key
    The private key of the tls certificate.
  • tls.sth
    The stash file of the tls certificate that contains the password encoded in Base64 format.
Note: It is strongly suggested that you save the ca.key so that in future, if needed, you can generate or replace the certificates only.

After having generated the CA, add it to the OS and browser so that they can trust the new CA.