Deep dive into various configurations with Oracle Weblogic Server

Steps to create a csr ( certificate signing request ) using keytool and get it signed from an external CA ( Certificate Authority - Thawte )

Puneeth Prakash
Principal Software Engineer

Step 1 :

Create a certficate pair using keytool genkeypair command 

Command :  keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 365 -keypass privatepassword -keystore identity.jks -storepass password

Step 2 :

Now create a certificate signing request ( csr ) which has to be passed on to your external / third party CA ( Certificate Authority ).

Command :  keytool -certreq -alias mykey -file certreq.pem -keystore identity.jks


- The above command Generates a Certificate Signing Request (CSR), using the PKCS#10 format.

- A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.

- sigalg specifies the algorithm that should be used to sign the self-signed certificate; this algorithm must be compatible with keyalg.

- The CSR is stored in the file certreq.pem. If no file is given, the CSR is output to stdout.

- Researchers have successfully broken the MD5 algorithm and forged web server credentials. MD5 is no longer considered secure. US-CERT advisory 836068 (issued Dec 31, 2008) makes it plain: ‘Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use. So its better to use sigalg as SHA1withRSA

Step 3 :

Go to your third party CA website Eg : http://www.thawte.com/

I am using a Free SSL Trial here for testing. 

Step 4 :

Check your inbox for an email from Thawte.

This email will contain your signed certificate , intermediate certificate and root certificate.

Copy the contents of each certificate from email and save it as a pem file as shown below : 

Step 5 :

Now we need to import these certificates into identity.jks keystore

- Import the intermediate certificate first --> then the root certificate --> and then the signedcert.

Command : keytool -importcert -alias inter -file intermediate.pem -keystore identity.jks -storepass password

Command : keytool -importcert -alias root -file root.pem -keystore identity.jks -storepass password 

Command : keytool -importcert -alias mykey -file signedcert.pem -keystore identity.jks -storepass password 

Note :

- The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate pair.

- After importing all three certificates you should see : " Certificate reply was installed in keystore " message.

Step 6 :

Now list the keystore and check if all the certificates are imported successfully.

Command :  keytool -list -keystore identity.jks -storepass password

To get a detailed out put :

Command : keytool -list -v -keystore identity.jks -storepass password

Note :

Check for the following in the detailed output :

Alias name: mykey 

Entry type: PrivateKeyEntry

Certificate chain length: 3

Step 7 :

Run the following command to check if the certificate chain is valid.

Syntax : java utils.ValidateCertChain -jks <alias> <identity_keystore> 

Command :  java utils.ValidateCertChain -jks mykey identity.jks

Step 8 :

Lets create a trust keystore now.

Command :  keytool -import -file intermediate.pem -alias inter -keystore trust.jks -storepass password

Command : keytool -import -file root.pem -alias root -keystore trust.jks -storepass password

Now that we have successfully created a third party CA signed Identity keystore and a Trust keystore, we can configure WLS to use it by configuring Custom Identity and Custom Trust. 

Join the discussion

Comments ( 6 )
  • Manjunath R Tuesday, October 14, 2014

    It's Very Useful.Thank you!!!

  • guest Tuesday, April 21, 2015

    I think you need to add also (in step 5) the '-trustcacerts' tag to the -import command, when importing the trusted certificates (not for the key/identity). Cheers.

  • Puneeth Thursday, April 30, 2015

    '-trustcacerts' -- is optional.

  • guest Monday, October 10, 2016

    Very helpful. This was the simplest explanation I found to just creating a signed certificate for the WebLogic instance. Thank you.

  • guest Wednesday, December 14, 2016

    Hi puneeth,

    could you please tell me what we should give in place of fisrt and last name in the first step

  • guest Thursday, December 15, 2016

    Hi puneeth,

    What we should we give for common name while generating the certificate

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.