BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Copyright Trustis Limited 2010. All rights reserved.

Trustis Limited
Building 273 New Greenham Park Greenham Common Thatcham RG19 6HN E: info@trustis.com W: www.trustis.com Registered in England No: 03613613

Table of Contents
1 2 3 4 Introduction .............................................................................................................. 3 Install Root and Intermediate Certificates ................................................................. 3 Certificate Signing Request (CSR) Generation ......................................................... 4 Installing your SSL Server Certificate ....................................................................... 6

T-0104-003-AP-007 BEA Weblogic- V0.1.docx Trustis Limited 2010

Page 2 of 7

1 Introduction
This document specifies instructions for Installing the Root and Intermediate certificates, generating your CSR, and Installing your certificate.

2 Install Root and Intermediate Certificates

Firstly, you need to download the CA certificates (both Root CA certificate and Issuing Authority certificate) as individual files

DER format Root CA certificate found at http://www.trustis.com/pki/healthcare/ops/fpsroot-der.crt DER format Healthcare TT Issuing Authority certificate found at http://www.trustis.com/pki/healthcare/ops/healthcarett-der.crt

Install these according to your web server documentation

T-0104-003-AP-007 BEA Weblogic- V0.1.docx Trustis Limited 2010

Page 3 of 7

3 Certificate Signing Request (CSR) Generation

You must submit your request in a particular format called a Certificate Signing Request (CSR). WebLogic Server includes a Certificate Request Generator servlet that creates a CSR. The Certificate Request Generator servlet collects information from you and generates a private key file and a certificate request file. You must then submit the CSR. Before you can use the Certificate Request Generator servlet, WebLogic Server must be installed and running. Start the Certificate Request Generator servlet (certificate.war). The .war file is automatically installed when you start WebLogic Server. In a Web browser, enter the URL for the Certificate Request Generator servlet as follows: https://hostname:port/Certificate hostname is the DNS name of the machine running WebLogic Server. port is the number of the port at which WebLogic Server listens for SSL connections. For example, if WebLogic Server is running on a machine named albatross and it is configured to listen for SSL communications at the default port 7002 to run the Certificate Request Generator servlet, you must enter the following URL in your Web browser: https://albatross:7002/certificate The Certificate Request Generator servlet loads a form in your web browser. Complete the form displayed in your browser. Ensure that you generate a 2048 bit key pair. Any size LESS than 2048 bit will not be accepted. Click the Generate Request button. The Certificate Request Generator servlet displays messages informing you if any required fields are empty or if any fields contain invalid values. Click the Back button in your browser and correct any errors. Note: Private Key Password If you don't not specify a password, you will get an unencrypted RSA private key. If you specify a password, you will get a PKCS-8 encrypted private key. When using PKCS-8 encrypted private keys, you need to enable the Use Encrypted Keys field on the SSL tab of the Server window in the Administration Console. When all fields have been accepted, the Certificate Request Generator servlet generates the following files in the startup directory of your WebLogic Server:

mydomain_com-key.der The private key file. The name of this file should go into the Server Key File Name field on the SSL tab in the Administration Console. mydomain_com-request.dem The certificate request file, in binary format. mydomain_com-request.pem The CSR file that you submit.. It contains the same data as the .dem file but is
Page 4 of 7

T-0104-003-AP-007 BEA Weblogic- V0.1.docx Trustis Limited 2010

encoded in ASCII so that you can copy it into email or paste it into the Web enrolment form.

T-0104-003-AP-007 BEA Weblogic- V0.1.docx Trustis Limited 2010

Page 5 of 7

4 Installing your SSL Server Certificate

You will receive an email from the Registration Authority when your certificate request has been approved that contains a link to a location where your certificate may be obtained. Clicking on this link will bring up a browser window that contains the details of your issued certificate and includes a section that looks something like the following: -----BEGIN CERTIFICATE----MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXA hAF UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMS Aw (.......) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE----Copy everything you see between and including the lines that look like -----BEGIN CERTIFICATE----and -----END CERTIFICATE----and paste it into an appropriately named text file e.g. mydomain_com-cert.pem mydomain directory. - in the

Note: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format. To use a certificate chain, append the additional PEM-encoded CA digital certificates to the digital certificate that was just issued to you for the WebLogic Server. The order is important (include the files in the order of trust). The server digital certificate should be the first digital certificate in the file. The issuer of that digital certificate should be the next file and so on until you get to the self-signed root certificate authority certificate. This digital certificate should be the last certificate in the file. You cannot have blank lines between digital certificates. Specify the file in the Server Certificate File attribute on the SSL Attributes tab in the WebLogic Server Administration Console. To configure WebLogic Server to use the SSL protocol, you need to enter the following information on the SSL tab in the WebLogic Server Administration Console:

In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for WebLogic Server. If you are using a certificate chain that is deeper than two certificates, you need to include the entire chain in PEM format in the certificate file. In the Trusted CA File Name field, enter the full directory location and name of the PEM format digital certificate chain of the issuer of your recently issued WebLogic Server digital certificate. In the Server Key File Name field, enter the full directory location and name of the private key file for WebLogic Server.
Page 6 of 7

T-0104-003-AP-007 BEA Weblogic- V0.1.docx Trustis Limited 2010

Use the following command-line option to start WebLogic Server. -Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate.

Storing Private Keys and Digital Certificates Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received into the mydomain directory. Private Key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively: -----BEGIN ENCRYPTED PRIVATE KEY---------END ENCRYPTED PRIVATE KEY----A PEM (.pem) format digital certificate begins and ends with the following lines, respectively: -----BEGIN CERTIFICATE---------END CERTIFICATE----Note: Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain. The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain. A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file. Note: If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool for converting DER format files to PEM format, and vice versa.

T-0104-003-AP-007 BEA Weblogic- V0.1.docx Trustis Limited 2010

Page 7 of 7