With IBM Workload Automation version 10.2.3, the Certman tool simplifies the management of custom certificates during both fresh installations and upgrade procedures. Certman provides flexibility and security for handling SSL certificates across different roles within your environment.

Certman Capabilities

Certman supports the following operations:

  • Generate new certificates and a Certificate Authority (CA)
  • Create new certificates using an existing CA
  • Extract certificates from a keystore on a Master Domain Manager
  • Verify the validity of certificates
  • Import certificates from a Master Domain Manager into the Dynamic Workload Console

Locating Certman

You can find Certman at the following path:

TWS_INST_DIR/TWS/bin

where TWS_INST_DIR is the IBM Workload Scheduler installation directory. To check the version of Certman, run:

certman version

Generating a Certificate Authority (CA) and Certificates

If you do not have a corporate CA, you can use Certman to create one and generate the necessary certificates. Use the following command:

certman generate -keypasswd <pwd> -outpath <output path> [-capath <ca path>] [-wauser <user>] [-wagroup <group>]

Key Parameters:

  • keypasswd: Encrypts the private key.
  • outpath: Directory for the generated certificates.
  • capath: Path to an existing CA (leave empty to create a new CA).
  • wauser: User ownership of output files.
  • wagroup: Group ownership of output files.

Generated Files:

  • ca.crt: Root CA file.
  • ca.key: Private key of the CA.
  • tls.crt: Certificate signed by the CA.
  • tls.key: Private key for TLS.
  • tls.sth: Stash file containing an encoded password.

Tip: Always store ca.key securely to generate or replace certificates in the future.

Generating New Certificates Using an Existing CA

If a CA already exists, use Certman to generate new certificates:

certman generate -keypasswd <pwd> -outpath <output path> -capath <ca path> [-wauser <user>] [-wagroup <group>]

Extracting Certificates from a Master Domain Manager Keystore

To extract certificates for a backup Master Domain Manager or the Dynamic Workload Console, use:

certman extract -outpath <output path> [-storepasswd <pw>] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]

Key Parameters:

  • storepasswd: Optional keystore password.
  • workdir: Temporary working directory.
  • cachain-splitted: Splits CA chain into multiple files.

Extracted Files:

  • ca.crt: Root CA and intermediate CA certificates.
  • tls.crt: TLS certificate.
  • tls.key: Private key.
  • tls.sth: Stash file.
  • additionalCAs/: Folder containing intermediate CA certificates.

Verifying Certificates

Certman can validate certificates to ensure they are in the correct format and not expired:

certman verify -inpath <input path> -keypasswd <key pwd> [-minkeysize <minimum key size>] [-workdir <working directory>]

Verification Checks:

  • Certificate format (.pem)
  • Expiry status
  • Key length (default: 1024 bits)
  • Private and public key match
  • Stash password validity

Importing Certificates into the Dynamic Workload Console

To import a CA certificate from a Master Domain Manager into the Dynamic Workload Console, run:

certman import (-inpath <input path> [-storepasswd <store pwd>] | -url <host:port> -storepasswd <store pwd>) -alias <alias> [-forcealias] [-workdir <working directory>]

Key Parameters:

  • inpath: Path containing the ca.crt file.
  • storepasswd: Optional keystore password.
  • url: Server hosting the CA chain.
  • alias: Alias for the certificate in the truststore.
  • forcealias: Overwrites existing alias if required.
  • workdir: Temporary working directory.

If the CA chain consists of multiple certificates, ensure the ca.crt file contains only the Root CA and that intermediate CAs are stored in the additionalCAs subfolder.

Conclusion

Certman simplifies SSL certificate management across multiple roles within IBM Workload Automation. Whether you are setting up a fresh installation, upgrading your environment, or securing communications, Certman provides a structured, efficient, and secure approach to certificate handling.

By leveraging Certman, you can ensure smooth operations, enhance security, and maintain compliance with best practices in SSL management. Try it out today!