Weblogic managed servers support java keystores (.jks) but you have received signed wildcard certificates(.crt) which cannot be directly imported into the keystore.
You may get below error:
Error
keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2655)
at sun.security.tools.keytool.Main.doCommands(Main.java:1009)
at sun.security.tools.keytool.Main.run(Main.java:343)
at sun.security.tools.keytool.Main.main(Main.java:336)
There are myriad number of ways in achieving this along with support from many blogs, videos or you can follow these steps and achieve it.
Firstly, ensure you have received all the certificates like the CA Root, additional Trust Certificates and intermediate certificates along with a wildcard certificate and a private key/server key which was used while generating the CSR (certificate signing request).
Some clients send these certificates packaged into PKCS12 if not follow the steps from the beginning
Tools required: OpenSSL software
1. Add all certificates and the private key to a single .pem file
openssl x509 -in each_certificate.crt -out complete_pem.txt -outform PEM
2. Now create a .pkcs12 file which is compatible with JAVA 8
You may get below error:
Error
keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2655)
at sun.security.tools.keytool.Main.doCommands(Main.java:1009)
at sun.security.tools.keytool.Main.run(Main.java:343)
at sun.security.tools.keytool.Main.main(Main.java:336)
There are myriad number of ways in achieving this along with support from many blogs, videos or you can follow these steps and achieve it.
Firstly, ensure you have received all the certificates like the CA Root, additional Trust Certificates and intermediate certificates along with a wildcard certificate and a private key/server key which was used while generating the CSR (certificate signing request).
Some clients send these certificates packaged into PKCS12 if not follow the steps from the beginning
Tools required: OpenSSL software
1. Add all certificates and the private key to a single .pem file
openssl x509 -in each_certificate.crt -out complete_pem.txt -outform PEM
2. Now create a .pkcs12 file which is compatible with JAVA 8
openssl pkcs12 -export -inkey complete_pem.txt -in complete_pem.txt -out complete_key.p12
You will be prompted for a password, don't forget to keep a record of it.
3. Create a java keystore now:
Go to JAVA_HOME\bin preferably above Java 8
keytool -importkeystore -deststorepass <hidden> -destkeypass <hidden> -destkeystore clientIdentity.jks -srckeystore
complete_key.p12 -srcstoretype PKCS12 -srcstorepass <password> -alias <anything_meaningful>
Here: deststorepass/destkeypass is the destination keystore password
-destkeystore : Java keystore you create.
-srckeystore : is the keystore you created in step 2
-srcstorepass : the password you used in step 2
This is identity keystore as it also contains the private key. Although you can use the same keystore for both. Generally, I like to keep Identity keystore and the Trust keystore separated.
Similarly, you can create another keystore with only trusted root certificates which will be named as clientTrust.jks.
keytool -import -v -trustcacerts -alias CARoot -file AddTrustExternalCARoot.crt -keystore clientTrust.jks -storepass <hidden>
Import these keystores into Weblogic managed servers, FR Studio , EAS Clients , java security folder(cacerts) etc. There are many documents available on Oracle support for Full SSL Deployment.
Note: alias is case-sensitive.It is important to note the aliases as Identity key requires it.
This post covers only steps for generating java keystore, when provided with certificates from trusted entities. Once keystores are read it can be used in various locations as required.
For further generic steps on security management refer here:
0 comments:
Post a Comment