BEA Logo BEA WebLogic Server Release 5.1

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

WebLogic Certificate Request Generator Help

Summary
Servlet entry fields
Country code
Organizational unit name
Organization name
Email address
Full host name
Locality name
State name
Random string
Strength
Submitting your CSR
Installing the test certificate on your WebLogic Server
Obtaining a permanent certificate

Other resources
Valid ISO country codes
Using WebLogic SSL

Summary

The Certificate Request Generator servlet generates private and public keys and a Certificate Signing Request (CSR) that you can submit to a certificate authority, such as VeriSign.

Once you have generated the request, you can have the servlet submit the CSR to VeriSign to verify that the request contains valid information and is formatted correctly. This only verifies the request; you must still apply for a server ID from a certificate authority.

The servlet generates files in your WebLogic start-up directory. The names of the files begin with the full host name you enter in the servlet, with periods changed to underscores. For example, if you enter "www.mydomain.com" for your full host name, the servlet generates the following files:

www_mydomain_com-key.der
This is your private key file.

www_mydomain_com-request.dem
This is the encrypted certificate request file, in a binary format.

www_mydomain_com-request.pem
This is the CSR file, which you submit to the certificate authority. It contains the same data as the .dem file, but encoded in ASCII so that you can copy it into email or paste it into a web form.

Servlet fields

Country code
Enter the two-character ISO code for your country.

Organizational unit name
You can enter the name of your division, department, or other operational unit of your organization.

Organization name
Enter the name of your organization. Certificate authorities may require that this be a legal name; you may be asked to provide proof such as a business license or articles of incorporation. In addition, the certificate authority may require that the host name you enter is in a domain registered with the InterNIC to this organization.

Email address
Enter the email address of the host's administrator.

Full host name
Enter the fully-qualified name of the server where the certificate will be installed. This is the name used for DNS lookups of the server, such as "www.mydomain.com". Browsers match the URL they are contacting to the name in the certificate. If you change the host name later, you'll need to request another certificate signature.

Locality name
Enter the name of your city, town, or other locality. If you operate with a license granted by a city, this is a required field and you must enter the name of the city that granted your license, and you must enter your State or Province in the State name field.

State name
If you are in the United States or Canada, enter the name of the State or Province in which your organization operates. Do not abbreviate.

Random string
(Optional) Enter a string of characters to be used by the encryption algorithm. You will never have to remember this string in the future. The string is used to add an external factor to the encryption algorithm, making it more difficult for anyone to break the encryption. For this reason, you should enter a string that is not likely to be guessed. A long string with a good mixture of uppercase and lowercase letters, digits, spaces, and punctuation characters contributes to more secure encryption.

Strength
(Domestic version only) Select the length (in bits) of the keys to be generated. The longer the key, the more difficult it is for someone to break the encryption. With the exportable version of the WebLogic Server, 512-bit keys are generated; the Strength field does not appear. With the domestic version, you can choose 512-, 768-, or 1024-bit keys. Contact sales if you want to apply for the domestic version of the WebLogic Server. If you generate a higher-strength key, but you still want to be able to support exportable strength clients, be sure to generate a second request for a 512-bit certificate. If you install only domestic-strength certificates in your server, exportable-strength browsers will not be able to authenticate.

Submitting your CSR

When you click Generate Request, the servlet generates the key file and the CSR file. The encryption algorithms are complex, so it may take some time for the servlet to respond. The servlet displays the certificate request and the names of the key and request files, as in this example:

-----BEGIN CERTIFICATE REQUEST-----
MIIBaDCCARICAQAwgawxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYD
VQQHEwdPYWtsYW5kMSAwHgYDVQQKExdPdXRyaWdodCBDb21tdW5pY2F0aW9uczEUMBIGA1UE
CxMLSG9tZSBPZmZpY2UxGTAXBgNVBAMTEHd3dy5vdXRyaWdodC5jb20xIzAhBgkqhkiG9w0B
CQEWFGxpdHplbGxAb3V0cmlnaHQuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMO86duO
W4OF/oDNx58GA3SpnY07ziOsiuRZZo3CUOEmQpIW7XnxUVzh2T33CtvAVRbHsQc8T/oJWMD4
Lmv0cFMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0EAvus5rLFLWtVPi4jDgb3KXTpv0Rb5YMhq
QKVud+p0sUtLOAxGi+aCJ9FYyiVx5PaFighptaI4mm/zm8RPRu+FoA==
-----END CERTIFICATE REQUEST-----

Key filename: C:\weblogic\www_yzzyxdom_com-key.der
Request filename: C:\weblogic\www_yzzyxdom_com-request.pem

Click Submit Certificate to VeriSign Test CA for Verifications to test that your CSR request is valid. The servlet sends the CSR to VeriSign.

If there were any errors in your input, VeriSign returns a web page that describes the error. Click Back in your browser to return to the Certificate Request Generator form and correct the error. Note that you'll have to delete the generated files before you can regenerate your request since the servlet will not overwrite these files if they exist.

If VeriSign found no errors in input, it returns a web page containing the information you entered. You can complete the contact information on this page, read the Digital ID Subscriber Agreement, and click Accept to request a test certificate that you can install in WebLogic for testing. Within a couple of minutes, VeriSign emails your test certificate to the email address you entered.

Installing the test certificate on your WebLogic Server

Once you have your certificate, you can follow these steps to install it and configure the WebLogic Server.

  1. From the certificate you received in email from VeriSign, save the lines between, and including, "BEGIN CERTIFICATE" and "END CERTIFICATE" to a file in your WebLogic per-server directory, myserver by default. The certificate is in PEM format, so you must save it to a file with a .pem extension.

  2. Copy the private key file (.der) generated by the Certificate Request Generator Servlet to the same WebLogic per-server directory.

  3. Edit the weblogic.properties file to enable security and install your certificate:

      Set the WebLogic property weblogic.system.SSLListenPort to a non-zero value to enable the security features in the WebLogic Server.

    • Set the property weblogic.security.key.server to the name of your private key (the .der file generated by the Certificate Request Generator servlet).

    • Set the property weblogic.security.certificate.server to the name of the certificate you saved from your VeriSign email.

    • Comment out the property weblogic.security.certificate.authority=ca.der by placing a number sign (#) in front of it. If you leave this property set to ca.der you will have problems with your test certificate. Optionally, you can set this property to the name of the SecureServerCA.der certificate included in the distribution. This file is VeriSign's issuer certificate, and can be used as a value for weblogic.security.certificate.authority for certificates issued by VeriSign. This property is usually only needed for certificate authorities that are not well-known.

Here are the properties to add to the weblogic.properties file:


// Port at which the WebLogic Server listens for SSL requests
weblogic.system.SSLListenPort=port_number

// File names of the certificate, your private key
// and the CA's public key
weblogic.security.certificate.server=filename of certificate
weblogic.security.key.server=filename of your private key
weblogic.security.certificate.authority=filename of authority's public key
After installing the files and setting the properties, start (or restart) the WebLogic Server.

For additional information about setting up certificates and certificate chains in WebLogic, see Installing certificates on a WebLogic Server in Using WebLogic SSL.

Obtaining a permanent certificate

The VeriSign test certificate is valid for two weeks. To obtain a permanent certificate from VeriSign, follow the instructions on VeriSign's Enrollment page. When you are asked in Step 5 to select the Server Software Vendor, choose "Apache Freeware with SSLeay." This ensures that the certificate you receive from VeriSign is compatible with the WebLogic Server.

 

Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.
Last updated 03/07/2000