How to Convert a PFX Certificate into a JKS Certificate to configure it on WebLogic

To convert a pfx cert file to a jks file, please follow these instructions:


1. Set up the environment for the domain, by executing the setDomainEnv.sh script, typically located at $DOMAIN_HOME/bin.

$ . ./setDomainEnv.sh


2. Use OpenSSL to check the pfx certificate's content.
$ openssl pkcs12 -in <certificate.pfx> -out KEYSTORE.pem -nodes

At this point, a password for the pfx file will be requested.

Expected output:


$ openssl pkcs12 -in <certificate.pfx> -out KEYSTORE.pem -nodes
Enter Import Password:
MAC verified OK



3. Open KEYSTORE.pem file, from step 2. This should look similar to this:You will find three certificates on it and the private key:



Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: le-36c42c6e-ec49-413c-891e-591f7e3dd306
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtPwoO3eOwSyOapzZgcDnQOH27cOaaejHtNh921Pd+U4N+dlm
.
.
.
EDITING
.
.
.
R5rsB00Yk1/2W9UqD9Nn7cDuMdilS8g9CUqnnSlDkSG0AX67auKUAcI=
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: *.something.com
subject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=*.something.com
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgIDAIH6MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
.
.
.
EDITING
.
.
.

wA5JxaU55teoWkuiAaYRQpuLepJfzw+qMk5i5FpMRbVMMfkcBusGtdW5OrAoYDL9
4rgR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
.
.
EDITING
.
.
.
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
.
.
EDITING
.
.
.
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----

4. Identify and store contents from KEYSTORE.pem certificate, to proceed and create jks files:

At this point, you will find three certificates on KEYSTORE.pem and the private key.

4.1 Private Key.

To identify the private key, look for the following headings:


-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Both above mentioned tags will be surrounded the private key. Go ahead and save the content of it into a file called: my_key_pk.pem. This has to include the headings.

Expected file:

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtPwoO3eOwSyOapzZgcDnQOH27cOaaejHtNh921Pd+U4N+dlm
.
.
.
EDIT
.
.
.
Y4ZrW12PRa9/EOBGTG5teKAEada/K4yKReTyQQAGq6j5RjErmuuKkKgPGMSCjvMS
R5rsB00Yk1/2W9UqD9Nn7cDuMdilS8g9CUqnnSlDkSG0AX67auKUAcI=
-----END RSA PRIVATE KEY-----

4.2 Root Certificate.

To identify the Root Certificate, look for the following headings:



subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Subject and issuer must be the same. Go ahead and save the content of it into a file called: my_key_root.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE, both included.

4.3 Intermediate Certificate.

To identify an Intermediate Certificate, look for the following heading:

subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 Subject and issuer are different only on the CN. Go ahead and save the content of it into a file called: my_key_intermediate.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE, both included.


NOTE: This certificate is optional and there are some cases where it'll not be present. If this is the case, go ahead and skip this step. In any other case, this needs to be added to the identity keystore jks file.

4.4 Server Certificate.

 To identify a Server Certificate, look for the following heading:

friendlyName: some.thing.com
subject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=some.thing.com

        A server certificate includes a heading called Friendly Name. Go ahead and save the content of it into a file called: my_key_crt.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE, both included.

5. Create a Trust Keystore and import the Root certificate into it.


$ keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root -keystore my_key_trust.jks -storepass <store_pass> -keypass <key_pass>

Expected Output:
Certificate already exists in system-wide CA keystore under alias <geotrustglobalca>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore


6. Generate an Identity Keystore and import Server into it.

$java utils.ImportPrivateKey -keystore my_key_identity.jks -storepass <store_pass> -storetype JKS -keypass <key_pass> -alias server_identity -certfile my_key_crt.pem -keyfile my_key_pk.pem -keyfilepass <pfx_password>


With these instructions, two jks files will be produced:

  • my_key_identity.jks
  • my_key_trust.jks

With both files, the next step is to configure Custom Identity and Custom Trust on WebLogic Server.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Antonio De Juan Image

I was formerly a Senior Technical Support Engineer in the Middleware Application Server Team. I worked supporting Weblogic Server, Java EE, Jrockit, Coherence among other Oracle products.
You can find my new blog at :
http://antoniodejuan.wordpress.com/
Oracle WebLogic

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today