securityUtility createSSLCertificate
The securityUtility createSSLCertificate
command supports TLS certificate creation for Open Liberty.
This command creates a default keystore that includes a self-signed TLS certificate for use in a server or client configuration.
For version 19.0.0.3 and later, the default keystore location is the resource/security/key.p12
file of the server or client directory.
Through version 19.0.0.2, the default keystore location is the resource/security/key.jks
file of the server or client directory.
Usage example
Create a TLS certificate for the myserver
server with the mypassword
password. Set the validity period to 365 days:
securityUtility createSSLCertificate --server=myserver --password=mypassword --validity=365
Syntax
Run the command from the path_to_liberty/wlp/bin
directory.
securityUtility createSSLCertificate --password=pwd [options]
- --password=pwd
-
The keystore password, which must be at least six characters long. If no value is specified, you’re prompted for a value when you run this command.
Options
Option | Description |
---|---|
--client=name |
Specifies the name of the Open Liberty client for which the keystore and certificate are created.
This option can’t be used if the |
--extInfo |
Specifies any X.509 certificate extension information that is used to create the default certificate.
By default, the Subject Alternative Name (SAN) extension is added to the certificate with the hostname of the server.
|
--keySize=size |
Specifies the certificate key bit size.
The default value is |
--keyType=keystore_type |
Specifies the keystore type to generate.
By default, a PKCS12 keystore is generated.
To generate a JKS keystore, specify this option with the value of |
--passwordEncoding=password_encoding_type |
Specifies how to encode the keystore password.
Supported encoding types are |
--passwordKey=password_encryption_key |
Specifies the key to use when you encode a password with AES encryption.
This string is hashed to produce an encryption key that is used to encrypt and decrypt the password.
You can provide the key by defining the |
--server=name |
Specifies the name of the Open Liberty server for which the keystore and certificate are created.
This option can’t be used if the |
--sigAlg=signature_algorithm |
Specifies the signature algorithm that is used to sign the self-signed certificate.
By default, the signature algorithm is SHA256withRSA.
The signature algorithm that is supported depends on what is supported by the underlying Java Runtime Environment (JRE).
Stronger signature algorithms might require the JRE to have an unrestricted policy file in place.
|
--subject=DN |
Specifies the distinguished name (DN) for the certificate subject and issuer.
If this option isn’t specified, a default value of |
--validity=days |
Specifies the number of days that the certificate is valid, which must be equal to or greater than 365.
If this option isn’t specified, a default value of |
Exit codes
The following exit codes are available for the securityUtility createSSLCertificate
command:
Code | Explanation |
---|---|
0 |
0 indicates successful completion of the requested operation. |
1 |
1 indicates a generic error. |
2 |
2 indicates that the server is not found. |
3 |
3 indicates that the client is not found. |
4 |
4 indicates that the path can not be created. |
5 |
5 indicates that the file already exists. |