Tuesday Aug 18, 2015

Steps to create a self-signed certificate using OpenSSL

OpenSSL tool can be used to create a certificate / keystore.

You can download the latest version from the link below :


Before running OpenSSL make sure you set the following :

export OPENSSL_CONF=/tmp/package-root/usr/local/ssl/openssl.cnf

 If you want to install OpenSSL with a non-root user :

- $ ./config

- $ make

- $ make test

- $ make INSTALL_PREFIX=/tmp/package-root install

In this post we will see how to create a self-signed certificate/keystore using OpenSSL. 

[Read More]

Friday Oct 04, 2013

Steps to create a .jks keystore using .key and .crt files...

How to create a .key and .crt file ?

If we already have a .key and .crt file how do we import them into a .jks keystore file ? 

How to convert a certificate from DER format to PEM format ? 

Keytool cannot import/export a private key into a keystore file.

To import a private key we need to use other tools like openssl.

We have seen situations when in we get a .key and .crt file from our vendors and we need to import the same into a .jks keystore to configure SSL with WLS.

Here .crt is the signed certificate from a CA and .key contains the private key.

To import these two files into a .jks keystore we can use the following command :

Syntax : $ java utils.ImportPrivateKey keystore storepass storetype keypass alias certfile keyfile keyfilepass

The ImportPrivateKey utility is used to load a private key into a private keystore file.

You can use the CertGen utility to create a .key ( testkey ) and .crt ( testcert ) and then use the ImportPrivateKey utility to create a .jks file.

Note: By default, the CertGen utility looks for the CertGenCA.der and CertGenCAKey.der files in the current directory, or in the WL_HOME/server/lib directory, as specified in the weblogic.home system property or the CLASSPATH.

Alternatively, you can specify CA files on the command line. If you want to use the default settings, there is no need to specify CA files on the command line.

1. Enter the following command to generate certificate files named testcert with private key files named testkey:

Command : $ java utils.CertGen -keyfilepass mykeypass -certfile testcert -keyfile testkey

2. Convert the certificate from DER format to PEM format.

Command :  $ java utils.der2pem CertGenCA.der

3. Concatenate the certificate and the Certificate Authority (CA).

Command :  $ cat testcert.pem CertGenCA.pem >> newcerts.pem

4. Create a new keystore named mykeystore and load the private key located in the testkey.pem file.

Command :  $ java utils.ImportPrivateKey -keystore mykeystore -storepass mypasswd -keyfile mykey -keyfilepass mykeypass -certfile newcerts.pem -keyfile testkey.pem -alias passalias

In this post we will see how to import a .crt and .key file into a .jks file.

[Read More]

Saturday Aug 24, 2013

Steps to create a self-signed certificate and configure Custom Identity and Custom Trust with Weblogic Server using Keytool...

 What are self signed certificates and how to create them ?

A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies.

 This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.
 Note :
 Identity keystores must contain a private key entry
 Trust store must contain all trusted key entries
 Below are few default values when using keytool command on JDK 1.6 :
 -alias "mykey"
    "DSA" (when using -genkeypair)
    "DES" (when using -genseckey)
    1024 (when using -genkeypair)
    56 (when using -genseckey and -keyalg is "DES")
    168 (when using -genseckey and -keyalg is "DESede")
-validity 90

Note :

-genkey is used in the example here. This was an old name used in previous releases. This old name is still supported in this release and will be supported in future releases, but for clarify the new name, -genkeypair, is preferred going forward.

Changes in keytool in Java 1.6 :

keytool no longer displays password input when entered by users. Since password input can no longer be viewed when entered, users will be prompted to re-enter passwords any time a password is being set or changed (for example, when setting the initial keystore password, or when changing a key password).

Some commands have simply been renamed, and other commands deemed obsolete are no longer listed in this document. All previous commands (both renamed and obsolete) are still supported in this release and will continue to be supported in future releases. The following summarizes all of the changes made to the keytool command interface:

Renamed commands:

-export, renamed to -exportcert
-genkey, renamed to -genkeypair
-import, renamed to -importcert
Commands deemed obsolete and no longer documented:



In this post we will see how to create self-signed cretificates and configure it Weblogic Server 10.3.6 ( CustomIdentityandCustomTrust ).

[Read More]

Oracle Fussion Middleware - WebLogic


« September 2015