Adding trusted certificates in Liberty

For secure communication with another process over HTTPS, add the public certificate of the other process as a signer certificate to a Liberty truststore.

Open Liberty Documentation for the transportSecurity-1.0 feature is available on the Open Liberty website.

About this task

Many variations exist in the way you can configure certificates and truststores. This procedure covers only common configurations.

Procedure

  1. Obtain the public certificate from the other process.

    You can obtain the public certificate by using a web browser or open source tools. If you have direct access to the keystore of the other process, the key can be extracted from it. Use one of the following three methods. Steps might change slightly over time as browsers and open source tools are updated.

    • Use a web browser to obtain the public certificate.
      1. In Firefox, click the padlock icon next to the URL.
      2. Click the arrow.
      3. Click More Information.
      4. Click View Certificate.
      5. Click Details.
      6. Click Export.
      7. Select a file name, and then save the file as an x.509 certificate.
    • Run the openssl command to obtain a certificate.
      1. Run the following command and capture the output:
        echo q | openssl s_client -showcerts -connect (hostname):(port)
        
        Use a port value of 443 unless you configured a different port for the HTTPS protocol. The HTTPS protocol is not specified in the command.
      2. From the output that you captured, copy the first certificate.
        Include the following lines and the information between these lines.
        "-----BEGIN CERTIFICATE-----"
        "-----END CERTIFICATE-----"
    • Extract the public certificate directly from the keystore file of the server.
      keytool -rfc -export -keystore (filename) -alias (alias) -file publickey.cer
      
      In a newly created Liberty keystore, only one key exists. The alias of the key is default.
  2. Add the certificate to a Liberty truststore.
    1. Determine which file to modify.

      Truststores are usually found in the resources/security path of the Liberty server. In the simplest default configuration, the key.jks file functions as both the keystore and the truststore.

      Another common configuration consists of one file as a keystore, and another as a truststore.

      Use of multiple truststores is possible. If you have this configuration, examine the server configuration to determine which files are to receive the certificate.

      If you previously received an error message in the messages.log file, the error message might say which truststore needs to be updated.

    2. Make a backup copy of the key file in case any problems occur.
    3. Use the keytool command to add the certificate to the file.
      keytool -importcert \
           -file <certificate to trust> \
           -alias <alias for the certificate> \
           -keystore <name of the trustore> \
           -storepass <password for the truststore> \
           -storetype <type of the keystore>
      In version 19.0.0.2 and earlier, use the following syntax. The -storetype option has a value of jks.
      keytool -importcert \
           -file <certificate to trust> \
           -alias <alias for the certificate> \
           -keystore <name of the trustore> \
           -storepass <password for the truststore> \
           -storetype jks
  3. Restart the server.