Changing Installed Certificates Used for Unwired Server and Sybase Control Center HTTPS Listeners

Both Unwired Server and Sybase Control Center include default certificates that are used for these components' HTTPS listeners. Since all installations use the same certificates by default, you must change these certificates with production-ready ones after you install Unwired Platform. Unwired Server and Sybase Control Center share the same keystore and truststore (that is, SUP_HOME\Servers\UnwiredServer\Repository\Security\).

To share certificates, Sybase recommends that you maintain the existing certificate alias (that is, "sample1" or "sample2" depending on the profile used) in the new certificates. Then, when you replace the IIOPS default certificate with the new production certificate, you are updating change the certificate for all listeners simultaneously.

Note: Because secure DCN has automatically been configured to use these same profiles by default, you are updating certificates used for secure DCN communication. If you want DCN to use a unique profile and certificates, see Creating a Unique SSL Profile For DCN.

Generate new production-ready certificates:
1. Use your PKI system to generate Unwired Server certificates and key pairs, and have them signed with the Certificate Authority (CA) certificate used in your organization.
  Ensure that you:
  - Keep the required alias for your profile type.
  - Set the CN of the certificate to *.MyDomain. The truststore and keystore files, as well as the definitions for default and default_mutual profiles are then synchronized across the cluster. As a result, there will only ever be a single certificate shared by all nodes that are members of the same cluster.
  Unwired Platform is compliant with certificates and key pairs generated from most well known PKI systems.
2. For Sybase Control Center: generate a new certificate with a "jetty" alias. This replaces the default self-signed certificate installed for this component specifically.
Import production-ready certificates, then update the security profile to associate these files with the Unwired Server encrypted port.
1. Use keytool to import the new production certificates into the primary Unwired Server keystore.
2. In the left navigation pane, select Configuration.
3. In the right administration pane, click General then SSL Configuration.
4. Optional. If you have used a different alias, rather than keep the alias of "sample1", locate the profile name row and modify the alias name to match the one used by your certificate.
5. Optional. If you are using a PKI system that includes OCSP, configure an OCSP responder. See Enabling OCSP.
Replace the default certificate for Sybase Control Center's HTTPS listener. Use keytool to import the new Sybase Control Center certificate with the "jetty" alias to the SCC_HOME\keystore keystore.

Enabling OCSP
(Optional) Enable OCSP (Online Certificate Status Protocol) to determine the status of a certificate used to authenticate a subject: current, expired, or unknown. OCSP configuration is enabled as part of cluster level SSL configuration. OCSP checking must be enabled if you are using the CertificateAuthenticationLoginModule and have set Enable revocation checking to true.
Using Keytool to Generate Self-Signed Certificates and Keys
Whenever possible, use a PKI system and a trusted CA to generate production-ready certificates and keys that encrypt communication among different Unwired Platform components. You can then use keytool to import and export certificate to the platform's keystores and truststores. Otherwise, you can also use keytool to generate self-signed certificates and keys.

Parent topic: Preparing SSL for HTTPS Listeners

Previous topic: Determining Certificate Requirements Based on Security Profile Chosen

Next topic: Enabling and Configuring Administration Encryption for Unwired Server

Related concepts

Unwired Server and Sybase Control Center Communications