on Windows
A. Obtaining digital certificates, private keys, and trusted CA certificates from the CertGen utility
At first we should configure CLASSPATH env variable
1) Add env variable:
WL_HOME=c:\bea\wlserver_10.0
2) Add to CLASSPATH variable "WL_HOME\server\lib\weblogic.jar"
CLASSPATH=%CLASSPATH%;WL_HOME\server\lib\weblogic.jar
So we can now generate Certificate and Private Key using weblogic CertGen utility
3) Start cmd console
4) Create new certificate and key file by command:
java utils.CertGen -keyfilepass weblogic -certfile lidcert -keyfile lidkey -cn EPUAKYIW0545
Note: -cn EPUAKYIW0545 - is optional as CertGen creates common name for host where it's running by default
As a result you should see message like this:
Generating a certificate with common name EPUAKYIW0545 and key strength 1024
issued by CA with certificate from c:\bea\wlserver_10.0\server\lib\CertGenCA.der file and key from c:\bea\wlserver_10.0\server\lib\CertGenCAKey.der file
issued by CA with certificate from c:\bea\wlserver_10.0\server\lib\CertGenCA.der file and key from c:\bea\wlserver_10.0\server\lib\CertGenCAKey.der file
5) Convert the certificate from DER format to PEM format.
java utils.der2pem CertGenCA.der
6) Concatenate the certificate and the Certificate Authority (CA)
cat lidcert.pem CertGenCA.pem >> lidcerts.pem
B. Store the private keys, digital certificates, and trusted CA certificates
7) And now we should create a new keystore named lidkeystore and load the private key located in the lidkey.pem file:
java utils.ImportPrivateKey -keystore lidkeystore.jks -storepass weblogic -keyfile lidkey -keyfilepass weblogic -certfile lidcerts.pem -keyfile lidkey.pem -alias lid
As a result you will see below messages:
No password was specified for the key entry
Key file password will be used
Key file password will be used
Imported private key lidkey.pem and certificate lidcerts.pem
into a new keystore lidkeystore of type jks under alias lid
into a new keystore lidkeystore of type jks under alias lid
C. Configure the identity and trust keystores for WebLogic Server in the WebLogic Server Administration Console
Short instruction below based on http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e13952/taskhelp/security/ConfigureKeystoresAndSSL.html
To configure the identity and trust keystores:
8) If you have not already done so, in the Change Center of the Admin Console, click "Lock & Edit"
9) In the left pane of the Admin Console, expand Environment and select Servers
10) Click the name of the server for which you want to configure the identity and trust keystores
11) Select Configuration > Keystores
select in "Keystores" : Custom Identity and Java Standard Trust
Custom Identity Keystore: full path to generated lidkeystore.jks
Custom Identity Keystore Passphrase: weblogic
12) Select Configuration > SSL
Private Key Alias: lid
Private Key Passphrase: weblogic
13) Enable SSL Listen Port:
Configuration > General
check SSL Listen Port Enabled
SSL Listen Port: 443
SSL Listen Port: 443
Test One Way SSL
Under the SSL tab, make sure Two Way Client Cert Behavior is set to "Client Certificates Not Requested".
This is important - make sure you have these entries in your config.xml file in the config directory of your domain:
<client-certificate-enforced>false</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>trustself</server-private-key-alias>
<client-certificate-enforced>false</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>trustself</server-private-key-alias>
If any are different, edit and save the config.xml to match, and then restart the Weblogic server.
Now browse to https://localhost:443/console
All being well, the server should present the client with a certificate.
However, the client has no reason to trust our Self-Signed Certificate yet, so it will throw up a dialog. (Also the name doesn't match that of the server. This isn't too important in a development environment - but something you'd definitely fix for production.)
However, the client has no reason to trust our Self-Signed Certificate yet, so it will throw up a dialog. (Also the name doesn't match that of the server. This isn't too important in a development environment - but something you'd definitely fix for production.)
