Friday, February 13, 2015

Create java keystore using wallet for Digicert wildcard cert

Had a heck of a time getting a DigiCert wildcard cert converted to a Java Keystore for use with Oracle Fusion Middleware 10.3.6.

Here's the procedure I ended up using to get this working:

  1. Create wallet
    1. mkdir $MW_HOME/owm
    2. Start OWM
    3. Create new wallet, store it in $MW_HOME/owm
    4. Enter password for wallet (make note of this for later)
    5. Create certificate request
      1. CN: *
      2. OU: YourDept
      3. Org: YourCo
      4. Locality: City
      5. State: MI
      6. Key Size 2048 << important, our CSR will reject without keysize at least 2048
    6. Click on certificate, select operation >> export certifciate request
      1. Enter request.csr in name
    7. Send request.csr to your unix admins
    8. Save wallet, back it up in case you make a mistake with the following
    9. Unix admins send back the following
      1. star_domain_com
      2. DigiCERTCA.crt
    10. Get root.crt from
      1. Copy every thing starting with -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- in a text file root.crt
    11. In OWM, import certificates
      1. Operations, import trusted certificate, select root.crt
      2. Operations, import trusted certificate, select DigiCertCA.crt
      3. Operations, import user certificate, select star_domain_com
    12. Do not check auto login
    13. Wallet > save wallet
  2. Convert wallet to keystore
    1. export ORACLE_HOME=$MW_HOME/oracle_common
    2. export PATH=$ORACLE_HOME/bin:$PATH
    3. export JAVA_HOME=$MW_HOME/Oracle_WT1/jdk
    4. orapki wallet pkcs12_to_jks -wallet $MW_HOME/owm -pwd notapassword -jksKeyStoreLoc $MW_HOME/owm/keystore.jks -jksKeyStorepwd notapassword
  3. Verify keystore
    1. keytool -list -v -keystore keystore.jks -storepass password
      1. make note of alias for your specific cert
  4. Implement in Fusion Middleware
    1. Login to FMW console
      1. base_domain > environment, servers, click on server name
      2. Keystores tab 
        1. Custom Identity and Java Standard Trust
        2. Custom Identity Keystore: $MW_HOME/owm/keystore.jks
        3. Custom identity keystore type: jks
        4. Custom identity keystore passphrase: notapassword
        5. Save
      3. SSL Tab
        1. Identity and Trust Locations: change to keystores
        2. Private Key Alias, alias from step 3.1.1 above
        3. Private Key Passphrase: notapassword
        4. Confirm Private Key Passphrase: notapassword
    2. Go to general tab
      1. Enable SSL listen port enabled
      2. Set listen port to port 7003
    3. Telnet from another machine to servername:7003 to verify connectivity
  5. You should now be able to connect to servername:7003 with a browser and not get an ugly cert error message.

Hopefully this will help whoever stumbles for this in the future.

Useful notes:

  1. Convert Wallet To Keystore for WebLogic. (Doc ID 1363979.1)


Unknown said...

Hi...its really impressive article.thank you for posting!
4k video downloader license key generator

gopipatel said...

Wow! amazing post.. Thanks for sharing!
Top 15 Cheapest Wildcard SSL Certificates