1

our customer using Websphere 7 decided to no longer use the self-signed certificates, but from now on always use some CA certificates.

I was browsing via the Security guide for Websphere environment and SSL settings, and just found this information:

A CA client must be created to connect to the CA server before creating a CA certificate. You need to implement the com.ibm.wsspi.ssl.WSPKIClient interface to enable WebSphere Application Server security to communicate with a remote CA. The class name needs be provided as part of the CA client when it is created

I am not sure if I understand it correctly. But for the situation, where I already have some CA certificate, and I just want to import it onto our environment, do I need to implement this interface?

Does that mean, that if I need to switch from self-signed certificates on Websphere to CA certificate, our software needs some implementation change?

I would expect only importing new truststores, keystores etc. but no java implementation.

Does someone have the knowledge about this change?

jaruss
  • 153
  • 1
  • 9

1 Answers1

0

But for the situation, where I already have some CA certificate, and I just want to import it onto our environment, do I need to implement this interface?

No, you don't need to implement this interface, you can just import your certificates into your environment (to trust and key stores).

This interface is required if you would like to have automatic management with remote CA e.g. if certificate expires to allow WAS to automatically connect to CA and request for new one.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • I thought so, but I am quite limited on time, so I preferred to ask. I'll test it, thanks a lot! – jaruss Apr 17 '15 at 14:53