Generate new certificates from an existing Certificate Authority (CA)

About this task

If you need to generate new certificates from an existing Certificate Authority (CA), you can use Certman to generate the required certificates. In this case, the capath parameter is required and you need to provide the path of the existing ca.crt and ca.key files.

Procedure

  1. Browse to the following path: <image_location>/TWS/<interp_name>/Tivoli_LWA_<interp_name>\TWS\bin
  2. Generate the new certificates by running the following command: 
    certman generate -keypasswd <pwd> -outpath <output path> [-capath <ca path>] [-days <valid days>] [-subj <full subject>] [-keysize <key size in bits>] [-wauser <user>] [-wagroup <group>]

    Where:

    keypasswd
    Specify the password to encrypt the private key. The password must be the same used for the existing CA, and the minimum length is 6 characters.
    Note: If the password contains wildcards, enclose the password in single quotes. For example:
    -keypasswd 'passw!rd'
    outpath
    Specify the folder where to generate the certificates.
    capath
    Specify the path where ca.crt and ca.key files are stored.
    days
    Optionally, specify the validity period in days after which the tls certificate expires.
    subj
    Optionally, specify additional information about the owner of the tls certificate using OpenSSL syntax:
    subj: "/C=<country>/ST=<state>/L=<locality>/O=<organization>/CN=<common name>"
    For example:
    subj: "/C=IT/ST=none/L=Rome/O=COLA/CN=cola.com"
    Where:
    C
    Specify the nation or sovereign territory.
    ST
    Specify the regional subdivision within the country.
    L
    Specify the city or town. The specific urban center.
    O
    Specify the name of the organization that owns the certificate.
    CN
    Specify the domain name that the certificate is intended to secure.
    keysize
    Specify the dimension of the private key in bits.
    wauser
    Optionally, specify the TWS_user that must be set as owner of the output files.
    wagroup
    Optionally, specify the TWS_user that must be set as group of the output files..
    Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.

Results

The following output files are the certificates you can find in the specified output folder:
  • tls.crt
    The certificate signed and validated by the CA.
  • tls.key
    The private key of the tls certificate.
  • tls.sth
    The stash file of the tls certificate that contains the password encoded in Base64 format.