1.2 Certificates and Keypairs

This topic provides the information about certificates and keypairs.

The certificates are used for validating the authenticity of the server. Certificates contains the name of the owner, certificate usage, duration of validity, resource location, or distinguished name (DN), which includes the common name (CN - web site address or e-mail address depending of the usage) and the certificate ID of the person who certified (signs) these information. It also contains the public key and a hash to ensure that the certificate has not been tampered with. A certificate is insecure until it is signed. Signed certificates cannot be modified.

A certificate can be self-signed or obtained from a reputable certificate authority such as Verisign, Inc., Entrust.net, Thawte, GeoTrust or InstantSSL.

The SSL uses a public key and a private key cryptographickeys. These keys are similar in nature and can be used alternatively. What one key encrypts can be decrypted by the other key of the pair. The private key is kept secret, while the public key is distributed using the certificate.

A keytool stores the keys and certificates in a keystore. The default keystore implementation implements it as a file. It protects private keys with a password. The different entities (key pairs and the certificates) are distinguished by a unique alias. Through its keystore, Oracle WebLogic server can authenticate itself to other parties.

In Java, a keystore is a java.security.KeyStore instance that the user can create and manipulate using the keytool utility provided with the Java Runtime.

There are two keystores to be managed by Oracle Weblogic server to configure SSL:

1. Identity Keystore: contains the key pairs and the Digital certificate. This can also contain certificates of intermediate CAs.
2. Trust Keystore: contains the trusted CA certificates.