WebLogic Certificate Request Generator Help
- Summary
- Servlet entry fields
- Country code
- Organizational unit name
- Organization name
- Email address
- Full host name
- Locality name
- State name
- Random string
- Strength
- Submitting your CSR
- Installing the test certificate on your WebLogic Server
- Obtaining a permanent certificate
- Other resources
- Valid ISO country codes
- Using WebLogic SSL
Summary
The Certificate Request Generator servlet generates private and public keys
and a Certificate Signing Request (CSR) that you can submit to a certificate
authority, such as VeriSign.
Once you have generated the request, you can have the servlet submit
the CSR to VeriSign to verify that
the request contains valid information and is formatted
correctly. This only verifies the request; you must still apply for
a server ID from a certificate authority.
The servlet generates files in your WebLogic start-up directory. The names
of the files begin with the full host name you enter in the servlet, with periods
changed to underscores. For example, if you enter "www.mydomain.com" for your full host name,
the servlet generates the following files:
- www_mydomain_com-key.der
- This is your private key file.
- www_mydomain_com-request.dem
-
This is the encrypted certificate request file, in a binary
format.
- www_mydomain_com-request.pem
- This is the CSR file, which you submit to the certificate authority.
It contains the same data as the .dem file, but encoded in ASCII so that
you can copy it into email or paste it into a web form.
Servlet fields
-
Country code
-
Enter the two-character ISO code for your country.
-
Organizational unit name
-
You can enter the name of your division, department, or other operational
unit of your organization.
-
Organization name
-
Enter the name of your organization. Certificate authorities may
require that this be a legal name; you may be asked to provide proof
such as a business license or articles of incorporation. In addition,
the certificate authority may require that the host name you enter is
in a domain registered with the InterNIC to this organization.
-
Email address
-
Enter the email address of the host's administrator.
-
Full host name
-
Enter the fully-qualified name of the server where
the certificate will be installed. This is the name used for DNS
lookups of the server, such as "www.mydomain.com". Browsers match the
URL they are contacting to the name in the certificate. If you
change the host name later, you'll need to request another certificate
signature.
-
Locality name
-
Enter the name of your city, town, or other locality. If you
operate with a license granted by a city, this is a required
field and you must enter the name of the city that granted
your license, and you must enter your State or Province in the
State name field.
-
State name
-
If you are in the United States or Canada, enter the name of the State
or Province in which your organization operates. Do not abbreviate.
-
Random string
-
(Optional) Enter a string of characters to be used by the encryption
algorithm. You will never have to remember this string in the
future. The string is used to add an external factor to the encryption
algorithm, making it more difficult for anyone to break the
encryption. For this reason, you should enter a string that is not
likely to be guessed. A long string with a good mixture of uppercase
and lowercase letters, digits, spaces, and punctuation characters
contributes to more secure encryption.
-
Strength
-
(Domestic version only) Select the length (in bits) of the keys to be
generated. The longer the key, the more difficult it is for someone
to break the encryption. With the exportable version of the WebLogic
Server, 512-bit keys are generated; the Strength field does not
appear. With the domestic version, you can choose 512-, 768-, or
1024-bit keys. Contact sales
if you want to apply for the domestic version of the WebLogic Server.
If you generate a higher-strength key, but you still want to be able
to support exportable strength clients, be sure to generate a second
request for a 512-bit certificate. If you install only domestic-strength
certificates in your server, exportable-strength browsers will not be
able to authenticate.
Submitting your CSR
When you click Generate Request, the servlet generates the key file and the CSR file.
The encryption algorithms are complex, so it may take some time for the servlet to
respond. The servlet displays the certificate request and the names of the key and
request files, as in this example:
-----BEGIN CERTIFICATE REQUEST-----
MIIBaDCCARICAQAwgawxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYD
VQQHEwdPYWtsYW5kMSAwHgYDVQQKExdPdXRyaWdodCBDb21tdW5pY2F0aW9uczEUMBIGA1UE
CxMLSG9tZSBPZmZpY2UxGTAXBgNVBAMTEHd3dy5vdXRyaWdodC5jb20xIzAhBgkqhkiG9w0B
CQEWFGxpdHplbGxAb3V0cmlnaHQuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMO86duO
W4OF/oDNx58GA3SpnY07ziOsiuRZZo3CUOEmQpIW7XnxUVzh2T33CtvAVRbHsQc8T/oJWMD4
Lmv0cFMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0EAvus5rLFLWtVPi4jDgb3KXTpv0Rb5YMhq
QKVud+p0sUtLOAxGi+aCJ9FYyiVx5PaFighptaI4mm/zm8RPRu+FoA==
-----END CERTIFICATE REQUEST-----
Key filename: C:\weblogic\www_yzzyxdom_com-key.der
Request filename: C:\weblogic\www_yzzyxdom_com-request.pem
Click Submit Certificate to VeriSign Test CA for Verifications to test that
your CSR request is valid. The servlet sends the CSR to VeriSign.
If there were any errors in your input, VeriSign returns a web page that describes
the error. Click Back in your browser to return to the Certificate Request Generator
form and correct the error. Note that you'll have to delete the generated files
before you can regenerate your request since the servlet will not overwrite these
files if they exist.
If VeriSign found no errors in input, it returns a web page containing
the information you entered.
You can complete the contact information on
this page, read the Digital ID Subscriber Agreement, and click Accept
to request a test certificate that you can install in WebLogic for
testing. Within a couple of minutes, VeriSign emails your test
certificate to the email address you entered.
Installing the test certificate on your WebLogic Server
Once you have your certificate, you can follow these steps to install
it and configure the WebLogic Server.
-
From the certificate you received in email from VeriSign,
save the lines between, and including, "BEGIN CERTIFICATE" and "END
CERTIFICATE" to a file in your WebLogic per-server directory,
myserver by default.
The certificate is in PEM format, so you must save it to a file with a
.pem extension.
-
Copy the private key file (.der) generated by the Certificate Request Generator
Servlet to the same WebLogic per-server directory.
-
Edit the weblogic.properties
file to enable security and install your certificate:
Set the WebLogic property weblogic.system.SSLListenPort to a non-zero value to
enable the security features in the WebLogic Server.
- Set the property weblogic.security.key.server to the name of your
private key (the .der file
generated by the Certificate Request Generator servlet).
- Set the property weblogic.security.certificate.server to the
name of the certificate you saved from your VeriSign email.
- Comment out the property weblogic.security.certificate.authority=ca.der by
placing a number sign (#) in front of it.
If you leave this property set to ca.der
you will have problems with your test certificate.
Optionally, you can set this property to the name
of the SecureServerCA.der
certificate included in the distribution. This file is
VeriSign's issuer certificate, and can be used as a value for weblogic.security.certificate.authority
for certificates issued by VeriSign. This property is usually only
needed for certificate authorities that are not well-known.
Here are the properties to add to the
weblogic.properties file:
// Port at which the WebLogic Server listens for SSL requests
weblogic.system.SSLListenPort=port_number
// File names of the certificate, your private key
// and the CA's public key
weblogic.security.certificate.server=filename of certificate
weblogic.security.key.server=filename of your private key
weblogic.security.certificate.authority=filename of authority's public key
After installing the files and setting the properties, start (or
restart) the WebLogic Server.
For additional information about setting up certificates and certificate chains
in WebLogic, see
Installing certificates on a WebLogic Server in Using WebLogic SSL.
Obtaining a permanent certificate
The VeriSign test certificate is valid for two weeks. To obtain a
permanent certificate from VeriSign, follow the instructions on VeriSign's
Enrollment page. When you are asked in Step 5 to select the
Server Software Vendor, choose "Apache Freeware with SSLeay." This
ensures that the certificate you receive from VeriSign is compatible
with the WebLogic Server.