- Using Oracle WebLogic Server for OCI
- Manage a Domain
- Configure SSL for WebLogic Server
- Create Keystores and Certificates for WebLogic Server
Create Keystores and Certificates for WebLogic Server
Use keytool to create your own public/private key pairs and self-signed certificates. Optionally, create a Certificate Signing Request (CSR) for each generated certificate and submit it to a CA to obtain a trusted certificate.
- Connect to the Administration Server node in your service instance with a secure shell (SSH) client, and then switch to the
oracle
user.sudo su - oracle
- Create a directory
/u01/data/keystores
to hold the keystore files.cd /u01/data mkdir keystores cd keystores
Caution:
Do not place your keystore and certificate files in the Middleware Home (MIDDLEWARE_HOME
) or Java Home (JAVA_HOME
) directories. Any modifications you make to these locations might be lost when you apply a patch.Caution:
Do not place your keystore and certificate files in the Domain Home (DOMAIN_HOME
) or/u01/data/domains
directories because they are included in backups. A restore operation might include an expired certificate and result in errors during a server restart. - Use the
keytool
command to create a new identity keystore file, and to add a self-signed certificate to the keystore namedserver_cert
.keytool -genkeypair -alias alias -keyalg keyalg -sigalg sigalg -keysize size -dname dn -keystore keystore_file
For example:
keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore identity.jks
Note that The X.500 Distinguished Name, which consists of the WebLogic Server host and DNS domain name, is example.com.
- When prompted, enter a password for the keystore.
- When prompted, enter a password for the private key,
server_cert
, or press Enter to use the same password as the keystore. - If you are using a self-signed certificate to configure SSL, then create a custom trust keystore file.
- Use
keytool
to export the self-signed certificate,server_cert
, from the identity store to a file namedserver_cert.cer
.keytool -exportcert -alias server_cert -file server_cert.cer -keystore keystore_file
When prompted, enter the password for the keystore.
- Use
keytool
to create a trust keystore file, and to importserver_cert.cer
into this new keystore. Use the same alias,server_cert
.keytool -importcert -alias server_cert -file server_cert.cer -keystore trust_keystore_file
For example:
keytool -importcert -alias server_cert -file server_cert.cer -keystore trust.jks
- When prompted, enter a password for the new keystore.
- When prompted to trust this certificate, enter yes.
- Use
- If you are using a CA-issued certificate to configure SSL, then create a CSR file from the identity keystore.
- Use
keytool
to create a CSR file for theserver_cert
private key.keytool -certreq -alias alias -file certreq_file -keystore keystore
For example:
keytool -certreq -alias server_cert -file server_cert.csr -keystore identity.jks
- When prompted, enter the password for the keystore and the private key.
- Submit the CSR to a Certificate Authority of your choice in order to obtain a trusted certificate.
- Import the CA-issued certificate into the identity keystore.
- Use
- Copy the keystore files to all the other nodes in your service instance.
For example:
ssh myinstance-wls-2 mkdir /u01/data/keystores scp myinstance-wls-1:/u01/data/keystores/identity.jks /u01/data/keystores scp myinstance-wls-1:/u01/data/keystores/trust.jks /u01/data/keystores