I went through this process last evening, and thought that sharing it MIGHT be of interest :-)
Check What's Installed
/opt/IBM/InstallationManager/eclipse/tools/imcl listInstalledPackages
com.ibm.cic.agent_1.8.2000.20150303_1526
com.ibm.websphere.liberty.v85_8.5.5000.20130514_1313
Create a WLP Server
/opt/IBM/WebSphere/Liberty/bin/server create davehay
Server davehay created.
Create a SSL Keystore and Self-Signed Certificate
/opt/IBM/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=davehay --password=passw0rd --validity=365
Creating keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks
Created SSL certificate for server davehay
Add the following lines to the server.xml to enable SSL:
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />
Add SSL support to Server Configuration
vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml
Append: -
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />
Update Server Configuration to reflect hostname
vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml
Change: -
<httpEndpoint id="defaultHttpEndpoint"
host="localhost"
httpPort="9080"
httpsPort="9443" />
to: -
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443" />
Start WLP Server
/opt/IBM/WebSphere/Liberty/bin/server start davehay
Starting server davehay.
Server davehay started with process ID 3962.
Test Connectivity ( via HTTP )
From Linux
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html'
100%[==================================================================================================================================================================>] 4,725 --.-K/s in 0s
2016-01-13 19:22:37 (625 MB/s) - `index.html' saved [4725/4725]
WARNING: cannot verify mta2015a.uk.ibm.com's certificate, issued by `/C=us/O=ibm/OU=davehay/CN=localhost': Self-signed certificate encountered.
WARNING: certificate common name `localhost' doesn't match requested host name `mta2015a.uk.ibm.com'. HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.2'
100%[==================================================================================================================================================================>] 4,725 --.-K/s in 0s
2016-01-13 19:24:54 (1.01 GB/s) - `index.html.2' saved [4725/4725]
List Content of Keystore
keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd
…
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5: 6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3
…
Create New Self-Signed Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -genkey -alias selfsigned -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd -validity 360 -keysize 2048 -dname CN=mta2015a.uk.ibm.com,DC=UK,DC=IBM,DC=COM -sigAlg SHA256withRSA -keyAlg RSA
List Content of Keystore
keytool -list -v -keystore /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -storepass passw0rd
…
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: default
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=davehay, O=ibm, C=us
Issuer: CN=localhost, OU=davehay, O=ibm, C=us
Serial number: 3559914d
Valid from: Wed Jan 13 19:06:46 GMT 2016 until: Thu Jan 12 19:06:46 GMT 2017
Certificate fingerprints:
MD5: 6D:26:90:BA:50:1C:3B:8B:28:73:C0:68:F0:16:AA:13
SHA1: 41:75:D6:93:20:BA:10:EB:F3:FE:B9:20:91:48:45:BC:8D:50:3E:FA
SHA256: FA:94:A3:3A:55:99:2F:80:98:85:A1:09:C8:F8:6F:BC:C1:5A:7D:C2:53:03:C4:4F:9D:A1:2E:D9:6B:3D:36:2D
Signature algorithm name: SHA1withRSA
Version: 3
…
Alias name: selfsigned
Creation date: 13-Jan-2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Serial number: 5696bab3
Valid from: Wed Jan 13 20:59:31 GMT 2016 until: Sat Jan 07 20:59:31 GMT 2017
Certificate fingerprints:
MD5: B4:9C:EC:1F:D3:82:88:5F:33:CB:26:63:A8:7F:65:4E
SHA1: 7C:21:43:87:32:3F:66:FE:E4:CA:06:7D:50:C6:F5:91:A4:41:02:40
SHA256: C5:0B:93:B1:64:F1:13:C2:A6:D7:9E:95:88:FE:80:7F:1F:8F:F5:3A:10:BE:93:0F:9C:9C:21:05:D0:06:70:FA
Signature algorithm name: SHA256withRSA
Version: 3
…
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks -pw passw0rd
Certificates in database /opt/IBM/WebSphere/Liberty/usr/servers/davehay/resources/security/key.jks:
default
selfsigned
Update Server Configuration to reflect new certificate
vi /opt/IBM/WebSphere/Liberty/usr/servers/davehay/server.xml
Add/amend: -
<sslDefault sslRef="defaultSSLSettings" />
<ssl id="defaultSSLSettings"
keyStoreRef="defaultKeyStore"
serverKeyAlias="selfsigned" />
<keyStore id="defaultKeyStore"
location="key.jks"
type="jks"
password="passw0rd" />
Stop WLP Server
/opt/IBM/WebSphere/Liberty/bin/server stop davehay
Stopping server davehay.
Server davehay stopped.
Start WLP Server
/opt/IBM/WebSphere/Liberty/bin/server start davehay
Starting server davehay.
Server davehay started with process ID 16945.
Test Connectivity ( via HTTPS )
From Linux
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 4725 (4.6K)
Saving to: `index.html.5'
100%[==================================================================================================================================================================>] 4,725 --.-K/s in 0s
2016-01-13 20:51:53 (416 MB/s) - `index.html.5' saved [4725/4725]
Inspect Self-Signed Certificate
…
Server certificate
---
No client certificate CA names sent
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1573 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-SHA256
Session-ID: 5696BB3015905180F9175410E9B677F5F5F4B7BC7C7A4C0B3BA986AD0D48BD23
Session-ID-ctx:
Master-Key: 06A29B8AAFC260B798511B29AAA52D3E876E75B897444E146DFA3DC5E50F4D29382E5E26E4EC8E5221E31084DA2B2F03
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1452718896
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
…