1. SSL Configurations Setup Guide
  2. Obtaining the Identity Store
  3. Export Private Key as Certificate
  4. About Obtaining and Importing Trusted Certificate
  5. Import Intermediate CA Certificate

3.4.1.1 Import Intermediate CA Certificate

You need to import the intermediate CA certificate into the identity keystore. Most Certificate Authorities do not use the root CA certificates to issue identity certificates for use by customers. Instead, Intermediate CAs issue identity certificates in response to the submitted CSRs.

If the Intermediate CA certificate is absent in the Java Standard Trust store, the trust path for the certificate will be incomplete for the certificate, resulting in warnings issued by Weblogic Server during runtime. To avoid this, the intermediate CA certificate should be imported into the identity keystore. Although the intermediate CA certificate can be imported into the Java Standard Trust store, this is not recommended unless the intermediate CA can be trusted.

Execute the following command to import the intermediate CA certificate into the keystore:

keytool -importcert -alias alias -file cert_file -trustcacerts -keystore keystore

In the above command,

Table 3-5 Description of Placeholders

Placeholder Description

cert_file

alias is used to identify the public and private key pair. Specify the alias of the key pair used to create the CSR in the earlier step.

cert_file

cert_file is the location of the file containing the intermediate CA certificate in a PKCS#7 format (PEM or DER file).

keystore

keystore is the location of the keystore containing the public and private key pair.

Note:

The trustcacerts flag is used to consider other certificates (higher intermediaries and the root CA) in the chain of trust. If no chain of trust is established during verification, the certificate will be displayed and one would be prompted to verify it. It is recommended that due diligence be observed when the prompt is displayed to verify a certificate when a chain of trust is absent.

A sample execution of the command is listed below:

D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool - importcert -alias verisigntrialintermediateca -file

D:\keystores\VerisignIntermediateCA.cer -trustcacerts -keystore

D:\keystoreworkarea\AdminOBREMOKeyStore.jks

Enter keystore password:<Enter the password used to access the keystore>

Certificate was added to keystore

Parent topic: About Obtaining and Importing Trusted Certificate