SSL in WebLogic Server – Part II : Create KeyStore, generate CSR, Import CERT and configure KeyStore with WebLogic

This is part II of SSL in WebLogic Server that covers creating KeyStore, generating Certificate Signing Request (CSR), importing Certificate in KeyStore, and finally using this keyStore with WebLogic Server. I strongly recommend to go through Part I SSL in WebLogic KeyStore, Identity & Trust Store, Root and Intermediate CA

 

High Level Steps to configure SSL in WebLogic Server are

1. Create Java KeyStore (JKS) and generate key
2. Generate Certificate Signing Request  (CSR)
3. Send this certificate request file to CA to issue certificate
4. Import Root CAs certificate
5. Import intermediate CAs certificate (If any)
6. Import certificate issued by CA
7. List content of keystore
8. Configure SSL in WebLogic Server
8.1 Change KeyStore type in WebLogic Server
8.2 Specify path of Identity KeyStore and Trust KeyStore
8.3 Specify Private Key Alias in WebLogic Server
8.4 Enable SSL in WebLogic Server
9. Test SSL in WebLogic Server

 

Low Level Steps to configure SSL in WebLogic Server

1. Create Java KeyStore and generate key: First step is to create KeyStore and private key (If you already have a keyStore then you can use that to generate key)

keytool -genkey -alias myAlias -keyalg RSA -keysize 2048 -dname “CN=serverName, OU=MyOrganizationUnit, O=myOrganization,L=myLocation, ST=myState, C=myCountry” -keypass [privat_key_password] -keystore [keystore_name].jks -storepass [keystore_password]

____

[aiam@innowave21 ~]$ keytool -genkey -alias innowave21 -keyalg RSA -keysize 2048 -dname “CN=innowave21.focusthread.com, OU=DBATeam, O=onlineAppsDBA, L=London, ST=London,C=GB” -keypass welcome1 -keystore innowave21.jks -storepass welcome1

[aiam@innowave21 ~]$ ls *.jks
innowave21.jks

_____

Note:
a) This step will create Keystore [keystore_name].jks
b) keytool utility is a Key and Certificate Management Tool and is available in $JAVA_HOME/bin
c) -genkey option signifies that we are generating private keys
d) -alias myAlias : Each entry in KeyStore (JKS) is represented by Alias. When you import signed certificate (issued by CA) in KeyStore then you should use same alias (used during key generation)
e) -keyalg RSA : is algorithm used to generate keyPair (default algorithm is DSA)
f) -keysize 2048 : is size of key used to generate private key
g) -dname : represents name of server to which certificate key is created. If you are generating keys for server innowave21.focusthread.com then use CN=innowave21.focusthread.com, OU=………

2. Generate Certificate Signing Request: Next step it so generate Certificate Signing Request (CSR) for Key (with alias innowave21) generated in previous step

keytool -certreq -alias myAlias -keystore [keystore_name].jks  -storepass [keystore_password] -file [certificate_request].csr

_____

keytool -certreq -alias innowave21 -keystore innowave21.jks -storepass welcome1 -file innowave21.csr

[aiam@innowave21 ~]$ ls *csr
innowave21.csr

_____
a) This step will create certificate signing request file
b) -certreq signifies that we are generating certificate signing request file
c) -alias myAlias must be same as one used during key generation in previous step

 

3. Send this certificate request file to Certifying Authority (CA) to issue certificate

4. Import Root CA certificate.
Once you receive certificate for your server then you must import certificate of Authority issued the certificate (before importing certificate issued by CA)

keytool -import -trustcacerts -alias rootcacert -keystore [keystore_name].jks -file rootCA.cer -storepass [keyStorePassword]

a) This step will import certificate of Certifying Authority (CA) with alias as rootcacert in KeyStore
b) -import signifies that we are importing certificate in keystore
c) -trustcacerts signifies that we are importing trusted certificates (In this case KeyStore is acting as trust Store, remember trust store and identity store discussed in part I ??). If you don’t use option -trustcacerts then it will try to import certificate as Identity Certificate
d) -alias must be different from one used during key generation
e) -file rootCA.cer is file that contains certificate of Root Certifying Authority (remember Root and Intermediate Certifying Authority discussed in part I ?? )

 

5. Import intermediate CA (If Any) certificate

If there are more than one Certifying Authority (CA) then you must import any intermediate CA

keytool -import -trustcacerts -alias intermediatecacert -keystore [keystore_name].jks -file intermediateCA.cer -storepass [keyStorePassword]

a) -import signifies that we are importing certificate in keystore
b) -trustcacerts signifies that we are importing trusted certificates (In this case KeyStore is acting as trust Store, remember trust store and identity store discussed in part I ??). If you don’t use option -trustcacerts then it will try to import certificate as Identity Certificate
c) -alias must be different from one used during key generation or while importing root CA
d) -file intermediateCA.cer is file that contains certificate of Intermediate Certifying Authority

 

6. Import Server Certifucate

Next step is to import Server Certifictae

keytool -import -alias myAlias -keystore [keystore_name].jks -file servercert.cer -keypass [keyPassword] -storepass [keyStorePassword]

a) -import signifies that we are importing certificate in keystore
b) -alias myAlias should match with Alias used during generation of Key
c) -file servercert.cer is file that contains certificate of server issue by CA

7. List content of keystore

If you want to view certificate stored in KeyStore then you can use option -list like below

keytool -list -v  -keystore [keystore_name].jks -storepass [keyStorePassword]

 

8. Configure SSL in WebLogic Server

In steps above Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing Server Certificate) are same i.e.  [keystore_name].jks .

8.1 Change KeyStore type from “Demo Identity and Demo Trust” to “Custom Identity and Custom Trust

WebLogic Server Console -> Name of Server (for which you wish to configure SSL) -> Configuration -> KeyStores -> change (next to Key Stores)

8.2 Specify path of Identity KeyStore and Trust KeyStore

In steps above Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing server certificate) are same i.e.  [keystore_name].jks (innowave21.jks in my case).

  • Specify passphrase as password used for KeyStore

 

8.3 Specify Private Key Alias in WebLogic Server

Enter the Alias you used during creation of certificate request and password of KeyStore

WebLogic Server Console -> Name of Server (for which you wish to configure SSL) -> Configuration -> SSL

 

8.4 Enable SSL in WebLogic Server 

Finally enable SSL in WebLogic Server ; WebLogic Server Console -> Name of Server (for which you wish to configure SSL) -> Configuration -> General

 

 

9. Test SSL in WebLogic Server 

https://:

 

References

Did you get a chance to download Free Interview Questions related to WebLogic? If not, download it here http://k21academy.com/weblogic-interview-question

 

weblogic banner

Learn Oracle Weblogic Server Administration

 

 

If you want to learn Oracle WebLogic Server Administration with tons of additional features like Live Interactive Sessions, Life time access to membership portal, Free re-taking sessions for next one year, Dedicated Machine to practice, On Job Support and much more

Click here to know more

About the Author Masroof Ahmad

Leave a Comment:

12 comments
shantanu says March 12, 2013

hi Atul,

How can i export privatekey from certificate as .pem or .prv format ?

Reply
sas says April 11, 2013

hi,
pls can u let me know why two passwords(storepass and storepass) while generating keys.

wats main diffrence?

Thx
sasi

Reply
» Security:090294 could not get connection javax. net. ssl. SSLKeyException FATAL Alert BAD_CERTIFICATE – A corrupt or unuseable certificate was received Online Apps DBA: One Stop Shop for Apps DBA’s says February 7, 2014

[…] You must also import CA’s certificate (Certifying Authority) that issued certificate to your LDAP Server (OID/OVD) into trust store of WebLogic Server. To more about SSL and steps to import CA’s certificate in WebLogic’s Trust Store click here and here […]

Reply
Nalini says July 15, 2015

In my implementation, I need to import two certificates and two aliases. I can solve half the problem that is, I can import two certificates in my keystore file with 2 different aliases. But the SSL tab on Weblogic console can hold only one alias. How do solve this problem ?

Thanks in advance,
Nalini

Reply
    Atul Kumar says July 15, 2015

    @Nalini,
    Why two certificates ? Are you counting trust certificates too ? All you need to look for is identity certificate that should be name of the server/url that you are trying to access . You don’t import two certificates for one WebLogic Server .

    If you have some other reason for two certs then explain here please .

    Reply
Nalini says July 15, 2015

@Atul thanks for the quick response.

I need to post to two different websites each have their own SSL certificates. In my keystore file I have the following aliases:
– mykey1 for website 1
– mykey2 for website 2

On the Weblogic console of the managed server, I have configured SSL tab to use the alias, mykey1. How can I add ‘mykey2’ for website 2 on the same same managed server?

Thanks again !

Reply
Atul Kumar says July 15, 2015

@ Nalini,
You must be using WebServer or load balancer in front of weblogic so there you put different certificates (under virtualHost if Apache or OHS). On weblogic you use single certificate only .

Unless someone says you can use two certs for single WebLogic Server – Curious to know if this is even supported by WebLogic Server

Reply
Susmit says August 9, 2015

Hi Atul,

We have a case where there is 8 different WL servers running in 8 different nodes. Each have separate wl domain. Our web Domain is, say: *.example.com.

Is there a way i can request for a single CSR for *.example.com and after getting the identity trust i can use it with these 8 different wl servers with url such as m1.example.com,m2.exmaple.com … m8.example.com?

that means is it possible while generating csr i use for exmaple:-
-dname “CN=*.exmple.com, OU=WL, O=Admin, ST=Bangalore,C=IN”

Then then import the certs to these 8 different WL domains separately following the above method??

Reply
raghav says June 13, 2016

Hi Atul, thanks a lot for providing this document. It’s very useful. But i have a different scenario – i need to configure “custom identity and java standard trust” so can you guide me on this. How to proceed???? By using keytool i generated jks(as per the step 1) and also csr as per the step2. As you said after that some CA has to authorize here – it means what? To whom i need to send this ?? Is there any other way to create own certificate authority ???? if yes requesting you to provide me the steps and then what all additional steps i need to follow in case of custom identity and java standard trust.

Hope to see your reply soon.

Regards,
Raghav

Reply
Sharath says August 29, 2018

Hello Atul,

I have received 4 files from CA after sending CSR below mentioned,
1.ChainCertificate.p7b
2.RootChainCertificate.p7b
3.SignedCertificate.cer
4.RootSignedCertificate.cer

In that 4 files Im getting confusion, that which files need to import in which command that you’ve mentioned above?

Can you please guide me how to import and configure all the above mentioned files? I’ll be very great-full to you.

Thank you.

Best Regards,
Sharath

Reply
Sharath says August 30, 2018

Hello Atul,

I have created the JavaKeyStore file(.jks) as you mentioned above. Also I have genereted CSR from that KeyStore and sent to CA for signing. After that I have received 4 certificates from CA, mentioned below,

1.ChainCertificate.p7b
2.SignedCertificate.cer
3.RootChainCertificate.p7b
4RootSignedCertificate.cer

Could you please help me to import the above certificates. I’m getting confusion what are all those files and and which command should i use for importing. Please help me!

Thank you.

Regards,
Sharath

Reply
Anurag Sharma says February 14, 2019

Hi Atul,
I was trying to import Root CA cert and I am getting the following promt –
Certificate already exists in system-wide CA keystore under alias
Is it fine if I move forward saying Yes as fingerprints of both the certs are different?
Or what else can be done?

Reply
Add Your Reply