Weblogic 10.3.6 +
WildCard file server.pfx (format PKCS)Generate Java Keystore from WildCard
Generate Java Keystore from WildCard
1. Source environment
.setDomainEnv.sh
2. Use OpenSSL to check the pfx certificate’s content.
openssl pkcs12 -in server.pfx -out KEYSTORE.pem –nodes
3. Open KEYSTORE.pem file from step 2. You should find three certificates in it and the private key.
a. Private Key. To identify the private key, look for the following headings:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
b. Root Certificate. To identify the Root Certificate, look for the following headings:
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject and issuer must be the same. Save the content of it into a file called my_key_root.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.
c. Intermediate Certificate. To identify an Intermediate Certificate, look for the following heading:
subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject and issuer are different only on the CN. Save the content of it into a file called my_key_intermediate.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.
NOTE: This certificate is optional and there are some cases where it will not be present. If this is the case, go ahead and skip this step. In any other case, this needs to be added to the identity keystore jks file.
d. Server Certificate. To identify a Server Certificate, look for the following heading:
friendlyName: some.thing.com
subject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=some.thing.com
A server certificate includes a heading called Friendly Name. Go ahead and save the content of it into a file called my_key_crt.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.
4. Create a Trust Keystore and import the Root certificate into it.
keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root -keystore my_key_trust.jks -storepass <store_pass> -keypass <key_pass>
5. Generate an Identity Keystore and import the private key into it.
java utils.ImportPrivateKey -keystore my_key_identity.jks -storepass <store_pass> -storetype JKS -keypass <key_pass> -alias server_identity -certfile my_key_crt.pem -keyfile my_key_pk.pem -keyfilepass <pfx_password>
With these instructions, two jks files will be produced:
my_key_identity.jks & my_key_trust.jks
Configure WebLogic Server To Support Wildcard Certificates
1. Navigate to Home->Summary of Servers->ServerName
a. go to SSL tab
b. Click on Advanced
2. Lock and Edit
3. Set the Hostname Verification field to Custom Hostname Verifier.
4. Enter the name of the implementation of the weblogic.security.utils.SSLWLSWildcardHostnameVerifier interface in the Custom Hostname Verifier field.
5. Click Save.
6. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
7. Restart Server
Configure Weblogic SSL
Follow below steps to configure weblogic server to use above keystores:
1. Login to admin console
2. Navigate to servers>[server_name]>Configuration>Keystores
3. Select Custom Identity and Custom Trust and provide below details:
a. -Custom Identity Keystore: /path/to/my_key_identity.jks
b. -Custom Identity Keystore Type: jks
c. -Custom Identity Keystore Passphrase:<password>
d. -Confirm Custom Identity Keystore Passphrase:<password>
e. -Custom Trust Keystore: /path/to/my_key_trust.jks
f. -Custom Trust Keystore Type: jks
g. -Custom Trust Keystore Passphrase:<password>
h. -Confirm Custom Trust Keystore Passphrase:<password>
4. Then click on SSL tab next to Keystores and provide values for below parameters:
a. -Private Key Alias: server_identity
b. -Private Key Passphrase: <password>
c. -Confirm Private Key Passphrase: <password>
5. Then enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
6. Enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
7. Save and activate changes.
Note: If SSL port is enabled for first time you need to restart server.