7 Using Self-Signed Certificates

Self-signed certificates can be used in development environments for securing applications. The generic steps to be followed for creating self-signed certificates and configuring for use for Oracle Retail application deployment are covered in the subsequent sections.

The following topics are covered in this chapter:

Creating a Keystore through the Keytool in Fusion Middleware (FMW) 11g

Perform the following steps to create a keystore through the keytool in Fusion Middleware (FMW) 11g:

1. Create a directory for storing the keystores.

   mkdir ssl
   

2. Run the following to set the environment:

   cd $MIDDLEWARE_HOME/user_projects/domains/<domain>/bin
   . ./setDomainEnv.sh
   

   For example:

   ../setDomainEnv.sh
   

3. Create a keystore and private key, by executing the following command:

   keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -dname <dn> -keypass <password> -keystore <keystore> -storepass <password> -validity 365
   

   Example:

   keytool -genkey -alias apphost2 -keyalg RSA -keysize 2048 -dname "CN=<Server Name>,OU=<Organization Unit>, O=<Organization>,L=<City>,ST=<State>,C=<Country>" -keypass <kpass> -keystore /u00/webadmin/ssl/apphost2.keystore -storepass <spass> -validity 365
   

Exporting the Certificate from the Identity Keystore into a File

Perform the following steps to export the certificate from the identity keystore into a file (for example, pubkey.cer):

1. Run the following command:

   keytool -export -alias selfsignedcert -file pubkey.cer -keystore identity.jks -storepass <password>
   

   Example:

   keytool -export -alias apphost2 -file /u00/webadmin/ssl/pubkey.cer -keystore /u00/webadmin/ssl/apphost2.keystore -storepass <spass>
   

Importing the Certificate Exported into trust.keystore

Perform the following steps to import the certificate you exported into trust.keystore:

1. Run the following command:

   keytool -import -alias selfsignedcert -trustcacerts -file pubkey.cer -keystore trust.keystore -storepass <password>
   

   Example:

   keytool -import -alias apphost2 -trustcacerts -file pubkey.cer -keystore trust.keystore -storepass <spass> Owner: CN=apphost2, OU=<Organization Unit>, O=<company>,L=<city>,ST=<state or province>, C=<country>
   

2. Enter yes when prompted whether to trust the certificate.

   Example:

   Trust this certificate? [no]: yes
   

Configuring WebLogic

You need to enable SSL for WebLogic server's Admin and managed servers by following the steps as provided in the Configuring the Application Server for SSL section.

Configuring Nodemanager

You need to secure the Node manager by following the steps in Securing Nodemanager with SSL Certificates section.

Importing Self Signed Root Certificate into Java Virtual Machine (JVM) Trust Store

In order for the Java Virtual Machine (JVM) to trust in your newly created certificate, import your custom certificates into your JVM trust store.

Perform the following steps to import the root certificate into JVM Trust Store:

1. Ensure that JAVA_HOME has been configured.

2. Run the following command:

   $keytool -import -trustcacerts -file rootCer.cer -alias selfsignedcert -keystore cacerts
   

   Example:

   keytool -import -trustcacerts -file /u00/webadmin/ssl/root.cer -alias apphost2 -keystore /u00/webadmin/product/jdk1.6.0_30.64bit/jre/lib/security/cacerts -storepass [spass default is changeit]
   

3. Enter yes when prompted whether to trust the certificate.

   Example:

   Trust this certificate? [no]: yes
   

Disabling Hostname Verification

This section has been covered under Disabling Hostname Verification section.

Converting PKCS7 Certificate to x.509 Certificate

Certificate authorities provide signed certificates of different formats. However, not all formats of certificates can be imported to Java based keystores. Hence the certificates need to be converted to usable form. Java based Keystores supports x.509 format of certificate.

The following example demonstrates converting certificate PKCS 7 to x.509 format:

1. Copy the PKCS 7 certificate file to a Windows desktop.

2. Rename the file and provide a .p7b extension.

3. Open the .p7b file.

4. Click the plus (+) symbol.

5. Click the Certificates directory.

   An Intermediary certificate if provided by CA for trust.

   
   

   Note: If an Extended Validation certificate is being converted you should see three files: the End Entity certificate and the two EV intermediate CA's.

   
   

6. Right click on your certificate file.

7. Select All Tasks > Export.

8. Click Next.

9. Select Base-64 encoded X.509 (.cer).

10. Click Next.

11. Browse to a location to store the file.

12. Enter a File name.

    For example, MyCert. The .cer extension is added automatically.

13. Click Save.

14. Click Next

15. Click Save.

The certificate can be now imported into Java-based keystores.

Example:

keytool -import -trustcacerts -alias apphost1 -file /u00/webadmin/ssl/cert-x509.cer -keystore /u00/webadmin/product/jdk/jre/lib/security/cacerts Enter keystore password: [default is changeit]