Pages

Friday, February 13, 2015

Create java keystore using wallet for Digicert wildcard cert


Had a heck of a time getting a DigiCert wildcard cert converted to a Java Keystore for use with Oracle Fusion Middleware 10.3.6.

Here's the procedure I ended up using to get this working:

  1. Create wallet
    1. mkdir $MW_HOME/owm
    2. Start OWM
    3. Create new wallet, store it in $MW_HOME/owm
    4. Enter password for wallet (make note of this for later)
    5. Create certificate request
      1. CN: *.domain.com
      2. OU: YourDept
      3. Org: YourCo
      4. Locality: City
      5. State: MI
      6. Key Size 2048 << important, our CSR will reject without keysize at least 2048
    6. Click on certificate, select operation >> export certifciate request
      1. Enter request.csr in name
    7. Send request.csr to your unix admins
    8. Save wallet, back it up in case you make a mistake with the following
    9. Unix admins send back the following
      1. star_domain_com
      2. DigiCERTCA.crt
    10. Get root.crt from https://ev-root.digicert.com/info/index.html
      1. Copy every thing starting with -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- in a text file root.crt
    11. In OWM, import certificates
      1. Operations, import trusted certificate, select root.crt
      2. Operations, import trusted certificate, select DigiCertCA.crt
      3. Operations, import user certificate, select star_domain_com
    12. Do not check auto login
    13. Wallet > save wallet
  2. Convert wallet to keystore
    1. export ORACLE_HOME=$MW_HOME/oracle_common
    2. export PATH=$ORACLE_HOME/bin:$PATH
    3. export JAVA_HOME=$MW_HOME/Oracle_WT1/jdk
    4. orapki wallet pkcs12_to_jks -wallet $MW_HOME/owm -pwd notapassword -jksKeyStoreLoc $MW_HOME/owm/keystore.jks -jksKeyStorepwd notapassword
  3. Verify keystore
    1. keytool -list -v -keystore keystore.jks -storepass password
      1. make note of alias for your specific cert
  4. Implement in Fusion Middleware
    1. Login to FMW console
      1. base_domain > environment, servers, click on server name
      2. Keystores tab 
        1. Custom Identity and Java Standard Trust
        2. Custom Identity Keystore: $MW_HOME/owm/keystore.jks
        3. Custom identity keystore type: jks
        4. Custom identity keystore passphrase: notapassword
        5. Save
      3. SSL Tab
        1. Identity and Trust Locations: change to keystores
        2. Private Key Alias, alias from step 3.1.1 above
        3. Private Key Passphrase: notapassword
        4. Confirm Private Key Passphrase: notapassword
    2. Go to general tab
      1. Enable SSL listen port enabled
      2. Set listen port to port 7003
    3. Telnet from another machine to servername:7003 to verify connectivity
  5. You should now be able to connect to servername:7003 with a browser and not get an ugly cert error message.

Hopefully this will help whoever stumbles for this in the future.

Useful notes:

  1. Convert Wallet To Keystore for WebLogic. (Doc ID 1363979.1)
  2. http://docs.oracle.com/cd/E16340_01/core.1111/e10105/walletmgr.htm#CJGGFCGC