Documente Academic
Documente Profesional
Documente Cultură
com/pa
https://blogs.oracle.com/pa/entry/importing_server_and_private_key
https://blogs.oracle.com/pa/entry/importing_server_and_private_key
https://blogs.oracle.com/pa/entry/importing_server_and_private_key
veera.raghavendra.rao@oracle.com Page 1 of 31
https://blogs.oracle.com/pa
4. IIS Server:
IIS configured for SSL on 443 port
Generate CSR and submit to CA
Import the CA signed Server certificate
Can import (IIS Server certificate with its private key already available from CA)
Create https binding for the web site to run at 443 port
NOTE: If you are using a wildcard certificate remember to turnoff WebLogic Hostname Verification.
veera.raghavendra.rao@oracle.com Page 2 of 31
https://blogs.oracle.com/pa
Create a certificate signing request (csr) which has to be passed on to your external / third party CA
(Certificate Authority).
Command: keytool -certreq -alias slc01hsu -file C:\Oracle\Middleware\ssl\slc01hsu_certreq.pem -
keystore C:\Oracle\Middleware\ssl\myIdentity.jks
Note: The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate
requestor (usually off-line) and will return a certificate or certificate chain, used to replace the
existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Submit the CSR file to the Certification Authority (CA) and get the Signed Certificate
Here we are using our own internal Certification Authority (CA)
Save CA Root, CA Intermediate & Signed Server Certificates into a folder like C:\Oracle\Middleware\ssl
veera.raghavendra.rao@oracle.com Page 3 of 31
https://blogs.oracle.com/pa
Install the Certificate in to Trusted Root Certification Authorities, It’s now valid
veera.raghavendra.rao@oracle.com Page 4 of 31
https://blogs.oracle.com/pa
veera.raghavendra.rao@oracle.com Page 5 of 31
https://blogs.oracle.com/pa
Note:
The intermediate and root certificate should have different alias name, but the signed certificate
should be imported with the same alias that was used while creating a certificate key pair.
After importing all three certificates you should see: “Certificate reply was installed in Keystore”
message.
CAInter.pem
veera.raghavendra.rao@oracle.com Page 6 of 31
https://blogs.oracle.com/pa
CARoot.pem
Slc01hsu.pem
Now list the keystore and check if all the certificates are imported successfully.
veera.raghavendra.rao@oracle.com Page 7 of 31
https://blogs.oracle.com/pa
Now that we have successfully created a third party CA signed Identity keystore and a Trust keystore,
we can configure WLS to use it by configuring Custom Identity and Custom Trust.
veera.raghavendra.rao@oracle.com Page 8 of 31
https://blogs.oracle.com/pa
Click No, Right Click Trusted Certificates and add your CA intermediate and CA root certificates
veera.raghavendra.rao@oracle.com Page 9 of 31
https://blogs.oracle.com/pa
veera.raghavendra.rao@oracle.com Page 10 of 31
https://blogs.oracle.com/pa
veera.raghavendra.rao@oracle.com Page 11 of 31
https://blogs.oracle.com/pa
Unfortunately we will fail validating the java key store if we use anything other than orapki. So we
have to use the wallet. The signing request will be created along:
orapki wallet add -wallet C:\Oracle\Middleware\ssl\ohs\eWallet -dn "CN=
brownbag.oracle.com, OU=CEAL, O=Oracle Corporation, L=Santa Clara, ST=California, C=US" -keysize
2048 -pwd Oracle123 -validity 365
veera.raghavendra.rao@oracle.com Page 13 of 31
https://blogs.oracle.com/pa
Since we already have a jks file let us ignore the above steps.
Make sure the private key password and the wallet password match = Oracle123
veera.raghavendra.rao@oracle.com Page 14 of 31