securityUtility createSSLCertificate command supports TLS certificate creation for Open Liberty.
This command creates a default keystore that includes a self-signed TLS certificate for use in a server or client configuration. For version 126.96.36.199 and later, the default keystore location is the
resource/security/key.p12 file of the server or client directory. Through version 188.8.131.52, the default keystore location is the
resource/security/key.jks file of the server or client directory.
Create a TLS certificate for the
myserver server with the
mypassword password. Set the validity period to 365 days:
securityUtility createSSLCertificate --server=myserver --password=mypassword --validity=365
Run the command from the
path_to_liberty/wlp/bin directory. You must specify either the
client option or the command fails. The keystore password must be at least six characters long. If the
password option is not specified, you’re prompted for a password value when you run this command.
Use the following syntax to create a keystore and certificate for an Open Liberty server.
securityUtility createSSLCertificate --server=serverName --password=pwd [options]
Use the following syntax to create a keystore and certificate for an Open Liberty client
securityUtility createSSLCertificate --client=clientName --password=pwd [options]
Specifies the name of the Open Liberty client for which the keystore and certificate are created. This option can’t be used if the
Specifies any X.509 certificate extension information that is used to create the default certificate. By default, the Subject Alternative Name (SAN) extension is added to the certificate with the hostname of the server.
Specifies the certificate key bit size. The default value is
Specifies the keystore type to generate. By default, a PKCS12 keystore is generated. To generate a JKS keystore, specify this option with the value of
Specifies the keystore password, which must be at least six characters long. If this option is not specified, you’re prompted for a value when you run the command.
Specifies how to encode the keystore password. Supported encoding types are
Specifies the key to use when you encode a password with AES encryption. This string is hashed to produce an encryption key that is used to encrypt and decrypt the password. You can provide the key by defining the
Specifies the name of the Open Liberty server for which the keystore and certificate are created. This option can’t be used if the
Specifies the signature algorithm that is used to sign the self-signed certificate. By default, the signature algorithm is SHA256withRSA. The signature algorithm that is supported depends on what is supported by the underlying Java Runtime Environment (JRE). Stronger signature algorithms might require the JRE to have an unrestricted policy file in place.
Specifies the distinguished name (DN) for the certificate subject and issuer. If this option isn’t specified, a default value of
Specifies the number of days that the certificate is valid, which must be equal to or greater than 365. If this option isn’t specified, a default value of
The following exit codes are available for the
securityUtility createSSLCertificate command:
This code indicates successful completion of the requested operation.
This code indicates a generic error.
This code indicates that the server is not found.
This code indicates that the client is not found.
This code indicates that the path can not be created.
This code indicates that the file already exists.