securityUtility createSSLCertificate

The securityUtility createSSLCertificate command supports TLS certificate creation for Open Liberty.

This command creates a default keystore that includes a self-signed TLS certificate for use in a server or client configuration. For version 19.0.0.3 and later, the default keystore location is the resource/security/key.p12 file of the server or client directory. Through version 19.0.0.2, the default keystore location is the resource/security/key.jks file of the server or client directory.

Usage example

Create a TLS certificate for the myserver server that is valid for 365 days with the mypassword password:

securityUtility createSSLCertificate --server=myserver --password=mypassword --validity=365

Syntax

Run the command from the path_to_liberty/bin directory.

securityUtility createSSLCertificate --password[=pwd] [options]
--password[=pwd]

The keystore password, which must be at least six characters long. If no value is specified, then you’re prompted for a value.

options

One or more optional parameters.

Options

Option Description

--client=name

Specifies the name of the Open Liberty client for which the keystore and certificate are created. This option can’t be used if the --server option is specified.

--extInfo

Specifies any X.509 certificate extension information that is used to create the default certificate. By default, the Subject Alternative Name (SAN) extension is added to the certificate with the hostname of the server.

If the --extInfo option is used, the value is passed directly to the keytool command. Use the syntax of the --ext flag on the keytool command.

You can use more than one --extInfo option with a single command, for example, --extInfo="san=dns:laptop" --extInfo="ExtendedKeyUsage=serverAuth,clientAuth".

--keySize=size

Specifies the certificate key bit size. The default value is 2048.

--keyType=keystore_type

Specifies the keystore type to generate. By default, a PKCS12 keystore is generated. To generate a JKS keystore, specify this option with the value of JKS. To explicitly specify the generation of a PKCS12 keystore, specify this option with the value of PKCS12.

A PKCS12 keystore has advantages over a JKS keystore. The PKCS12 keystore is more extensible, supports stronger cryptographic algorithms, and is widely adopted. Certificate authorities frequently issue certificates in the PKCS12 format.

--passwordEncoding=password_encoding_type

Specifies how to encode the keystore password. Supported encoding types are xor and aes. If this option isn’t specified, a default encoding type of xor is used.

--passwordKey=password_encryption_key

Specifies the key to use when you encode a password with AES encryption. This string is hashed to produce an encryption key that is used to encrypt and decrypt the password. You can provide the key by defining the wlp.password.encryption.key variable as the key value. If this option isn’t specified, a default key is used.

--server=name

Specifies the name of the Open Liberty server for which the keystore and certificate are created. This option can’t be used if the --client option is specified.

--sigAlg=signature_algorithm

Specifies the signature algorithm that is used to sign the self-signed certificate. By default, the signature algorithm is SHA256withRSA. The signature algorithm that is supported depends on what is supported by the underlying Java Runtime Environment (JRE). Stronger signature algorithms might require the JRE to have an unrestricted policy file in place.

The command accepts the following signature algorithms: SHA256withRSA, SHA1withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA. The signature algorithms that end with RSA create certificates with RSA keys. The signature algorithms that end with ECDSA create certificates with Elliptical Curve (EC) keys.

If you use certificates that are created with EC keys, then include a customized ciphers list that includes EC ciphers in your Transport Layer Security (TLS) configuration.

--subject=DN

Specifies the distinguished name (DN) for the certificate subject and issuer. If this option isn’t specified, a default value of CN=<hostname>,OU=<server or client name>,O=ibm,C=us is used.

The DN value is retrieved by using a Java method to get the machine’s local hostname. If the hostname can’t be resolved, the IP address is returned.

--validity=days

Specifies the number of days that the certificate is valid, which must be equal to or greater than 365. If this option isn’t specified, a default value of 365 is used.