To create two-way host certificates using generateSSLCertificates, follow these steps:
If there is a CA root certificate in the
deployment_template\ssl_certs_utility\bin\ssl
directory, thegenerateSSLCertificates
utility loads the filename of this certificate. It will use the CA root certificate to sign the SSL host certificates that it generates.If there is no CA root certificate in
deployment_template\ssl_certs_utility\bin\ssl
, thegenerateSSLCertificates
utility:The
generateSSLCertificates
utility generates SSL host certificates in PEM, PKCS12, and JKS formats. To do this, it:Prompts the user to specify the hostname and domain name of the server.
Places the host certificate in the directory
deployment_template\ssl_certs_utility\bin\ssl
.Prompts the user to specify passphrases for the keystore and trust store files.
Prompts the user to specify a keyname to add passphrases to OCS with the mapName
oracleCommerceSSLPassPhrase
.
Note
Each of the host certificates is digitally signed by the CA root certificate.
It prompts users to indicate whether they want to generate a certificate for another host.
The hosts in the distributed system use the certificates created by
generateSSLCertificates
as follows:
The server and each client load one of the SSL host certificates created by
generateSSLCertificates
.When a client asks to verify the server, the server sends its SSL host certificate to the client.
The client verifies the SSL host certificate by comparing it to its own CA Certificate, which was signed by the Certificate Authority that signed the root certificate.
When a server asks to verify a client, the client sends its SSL client certificate to the server.
The server verifies the SSL client certificate by comparing it to its own CA Certificate, which was signed by the Certificate Authority that signed the root certificate.
Because the server and the clients have certificates signed by a Certificate Authority whom they all trust, they can recognize each other as trustworthy.
The following figure illustrates how
generateSSLCertificates
establishes SSL connections
between Oracle Commerce components: