CertGenCAB was the Certificate Authority that signed the Demo Certificates used by WLS.

This CA certificate expired on Oct 25 2022 and hence all Demo keystores are no longer valid.

This blog has more information on how to overcome this issue.

Background:

  • Before 10.3.3 (11g), Certicom SSL was the only SSL implementation.
  • In 10.3.3 thru 10.3.6 (11g), Certicom SSL is the default SSL implementation, with JSSE available by enabling a property switch.
  • In 12.1.1 and up (12c), JSSE is the default SSL implementation and Certicom was removed. 
  • Weblogic Server versions 10.3.6 and 12.1.1 and later are certified with JDK 7
  • TLS 1.1 and 1.2 is only supported with a combination of JDK 7 Update 1 (or later) and JSSE enabled
  • With JSSE and JDK 7, higher security defaults are available (e.g updated ciphers)

NOTE:

Do not use the demonstration keystores in a production environment. 

Demonstration Certificates can be used in NodeManager and Weblogic Servers.

Oracle released Patch 13964737 (for 1036 and 1211) that updates Signing Authority from CertGenCAB to CertGenCA.

Old CA :

old CA

 

 

 

 

 

 

 

 

New CA :

new CA

 

 

 

 

 

 

 

 

Below are the steps to be performed on different WebLogic versions to overcome the issue of expiring Demonstration Certificate Authorities :

For WLS 8.1 :

OPTION 1: Create Self Signed Certificates (or Internally signed certificates) 

Step 1: 

Go to <WL_HOME>/server/bin/
Run
Linux : . ./setWLSEnv.sh
Windows : setWLSEnv.cmd

Then run “java -version” and make sure it is the same java being used by your WebLogic Server.

Example :

setWLS

 

 

 

 

 

 

 

 

Step 2:

Create a Self-Signed certificate using the following command :

keytool -genkey -alias mykey -validity 3650 -dname “cn=localhost, ou=WLS, o=Oracle, c=IN” -storepass password -keypass password -keystore identity.jks
keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password
keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass password -trustcacerts -noprompt 

NOTE:

– Replace the cn in the above command to your servers hostname. (Specified in console -> server listen_address field).

– You also change the storepass and keypass values in the above commands.

– The above commands will generate identity.jks and trust.jks which can be used to configure SSL on your nodemanager and WebLogic servers.

– The certificate generated should have a signature algorithm as MD5withSHA1

self signed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 3:

Now configure the NodeManager and WebLogic servers to use this newly created identity.jks and trust.jks 

 

OPTION 2: Disable SSL on WebLogic Server. There is no way to disable SSL on nodemanager for WLS 8.x (Not Recommended)

 

For WLS 10.3.6 :

The default SSL implementation in Weblogic 10.3.6 is Certicom, but WLS 10.3.6 also supports JSSE SSL Implmentation.

For WLS 1036 domains using JSSE SSL Implemenatations :

Enable JSSE

 

 

 

 

 

 

 

 

OPTION 1: Recreate DemoIdentity and DemoTrust :

Step 1:

Apply patch 13964737 and regenerate DemoIdentity.jks as mentioned in the below KM articles :

How to Renew Demo Trust Certificate in WLS that Expires on Oct 25 2022 (Doc ID 2901612.1)    

Regenerating DemoIdentity.jks and/or DemoTrust.jks (Doc ID 1392455.1)    

 

OPTION 2: Create new SelfSigned Certificates (You could also use CA signed certificates) :

Step 1:

Create a Self-Signed certificate using the following command :

keytool -genkeypair -alias mykey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 3650 -dname “cn=localhost, ou=WLS, o=Oracle, c=IN” -storepass password -keypass password -keystore identity.jks

keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password

keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass password -trustcacerts -noprompt 

NOTE:

– Replace the cn in the above command to your servers hostname. (Specified in console -> server listen_address field).

– You also change the storepass and keypass values in the above commands.

– The above commands will generate identity.jks and trust.jks which can be used to configure SSL on your nodemanager and WebLogic servers.

Step 2:

Configure nodeManager and WebLogic server to use this newly created identity.jks and trust.jks

 

OPTION 3: Disable SSL on NodeManager and WebLogic Server (Not Recommended) 

 

For WLS 1036 domains using the default Certicom SSL Implementations :

OPTION 1: Create Self-Signd Certificates

Step 1:

Go to <WL_HOME>/server/bin/
Run
Linux : . ./setWLSEnv.sh
Windows : setWLSEnv.cmd

Then run “java -version” and make sure it is the same java being used by your WebLogic Server.

Example :

Step 2:

Create a Self-Signed certificate using the following command :

keytool -genkey -alias mykey -validity 3650 -dname “cn=localhost, ou=WLS, o=Oracle, c=IN” -storepass password -keypass password -keystore identity.jks
keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password
keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass password -trustcacerts -noprompt 

NOTE:

– Replace the cn in the above command to your servers hostname. (Specified in console -> server listen_address field).

– You also change the storepass and keypass values in the above commands.

– The above commands will generate identity.jks and trust.jks which can be used to configure SSL on your nodemanager and WebLogic servers.

– The certificate generated should have a signature algorithm as MD5withRSA.

 

OPTION 2: Disable SSL on Nodemanager and WebLogic Server (Not Recommended)

 

For WLS 12.1.3 and above :

The default SSL implementation is JSSE. 

OPTION 1 : Recreate DemoIdentity and DemoTrust :

Step 1: 

How to Renew Demo Trust Certificate in WLS that Expires on Oct 25 2022 (Doc ID 2901612.1)    

Regenerating DemoIdentity.jks and/or DemoTrust.jks (Doc ID 1392455.1)    

 

OPTION 2: Create new SelfSigned Certificates (You could also use CA Signed certificates) :

Step 1:

Create a Self-Signed certificate using the following command :

keytool -genkeypair -alias mykey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 3650 -dname “cn=localhost, ou=WLS, o=Oracle, c=IN” -storepass password -keypass password -keystore identity.jks

keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password

keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass password -trustcacerts -noprompt 

NOTE:

– Replace the cn in the above command to your servers hostname. (Specified in console -> server listen_address field).

– You also change the storepass and keypass values in the above commands.

– The above commands will generate identity.jks and trust.jks which can be used to configure SSL on your nodemanager and WebLogic servers.

Step 2:

Configure nodeManager and WebLogic server to use this newly created identity.jks and trust.jks

 

OPTION 3: Disable SSL on NodeManager and WebLogic server. (Not Recommended)