Add the signer certificate to the WebSphere Java keystore using keytool

This procedure describes how to add the certificates to the WebSphere Java cacerts file locations using keytool. Using keytool is optional; ikeyman can also be used.

  1. Back up the current file. From an Administrator command window, list current certificates and redirect to a file this command:
    Command 1:
    Note: The default password for cacerts is changeit.
    keytool -list -keystore WAS_HOME/AppServer/java/jre/lib/security/cacerts -storepass <password*> > keytool_list_WASJava_before.out
    Example 1: 
    
keytool -list -keystore D:/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -storepass changeit > keytool_list_WASJava_before.out
    Command 2: 
    keytool -list -keystore WAS_HOME/AppServer/java_1.7_64/jre/lib/security/cacerts -storepass <password*> > keytool_list_WASJava1.7_before.out
    Example 2: 
    
keytool -list -keystore D:/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts -storepass changeit > keytool_list_WASJava1.7_before.out
    Command 3: 
    keytool -list -keystore WAS_HOME/AppServer/java_1.8_64/jre/lib/security/cacerts -storepass <password*> > keytool_list_WASJava1.8_before.out
    Example 3: 
    
keytool -list -keystore D:/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -storepass changeit > keytool_list_WASJava1.8_before.out
  2. Load certificate into the WebSphere Java keystore using these commands:
    Command 1: 
    keytool -import -file <literal_path_to_new_ldap_certificate_file**> -alias <name_that_describes_ldap_server_or_domain>_ldap -trustcacerts -keystore WAS_HOME/AppServer/java/jre/lib/security/cacerts -storepass <password*> >  keytool_import_WASJava.out
    Example 1: 
    keytool -import -file D:\certs\ADROOT-CA.cer -alias ADROOT-CA_20200206 -trustcacerts -keystore D:/java/jre/lib/security/cacerts -storepass changeit >  keytool_import_WASJava.out
    Command 2: 
    keytool -import -file <literal_path_to_new_ldap_certificate_file**> -alias <name_that_describes_ldap_server_or_domain>_ldap -trustcacerts -keystore WAS_HOME/AppServer/java_1.7_64/jre/lib/security/cacerts -storepass <password*> >  keytool_import_WASJava1.7.out
    Example 2: 
    keytool -import -file D:\certs\ADROOT-CA.cer -alias ADROOT-CA_20200206 -trustcacerts -keystore D:/java_1.7_64/jre/lib/security/cacerts -storepass changeit >  keytool_import_WASJava1.7.out
    Command 3: 
    keytool -import -file <literal_path_to_new_ldap_certificate_file**> -alias <name_that_describes_ldap_server_or_domain>_ldap -trustcacerts -keystore WAS_HOME/AppServer/java_1.8_64/jre/lib/security/cacerts -storepass <password*> >  keytool_import_WASJava1.8.out
    Example 3: 
    keytool -import -file D:\certs\ADROOT-CA.cer -alias ADROOT-CA_20200206 -trustcacerts -keystore D:/java_1.8_64/jre/lib/security/cacerts -storepass changeit >  keytool_import_WASJava1.8.out
  3. List current certificates again and redirect to a file, verify newly added certificate is present in this file using this command:
    Command 1: 
    keytool -list -keystore WAS_HOME/AppServer/java/jre/lib/security/cacerts -storepass <password*> > keytool_list_WASJava_after.out
    Example 1: 
    
keytool -list -keystore D:/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -storepass changeit > keytool_list_WASJava_after.out
    Command 2: 
    keytool -list -keystore WAS_HOME/AppServer/java_1.7_64/jre/lib/security/cacerts -storepass <password*> > keytool_list_WASJava1.7_after.out
    Example 2: 
    
keytool -list -keystore D:/IBM/WebSphere/AppServer/java_1.7_64/jre/lib/security/cacerts -storepass changeit > keytool_list_WASJava1.7_after.out
    Command 3: 
    keytool -list -keystore WAS_HOME/AppServer/java_1.8_64/jre/lib/security/cacerts -storepass <password*> > keytool_list_WASJava1.8_after.out
    Example 3: 
    
keytool -list -keystore D:/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -storepass changeit > keytool_list_WASJava1.8_after.out