How To Create a Java Keystore via Keytool in FMW 11g/12c

How To Create a Java Keystore via Keytool in FMW 11g/12c

How To Create a Java Keystore via Keytool in FMW 11g/12c

Titleimage

Posted by Patrick Hamou on 2017:09:11 17:34:02

APPLIES TO:

Oracle WebLogic Server - Version 10.3.1 to 12.1.3.0.0
Oracle Fusion Middleware - Version 11.1.1.1.0 to 12.1.3.0.0 [Release Oracle11g to 12c]
Information in this document applies to any platform.

GOAL

How To Create a Java KeyStore (JKS) via Keytool in FMW 11g/12c

SOLUTION

FMW 11g
This Note is part of a number of articles written for SSL Configuration in FMW 11g.
Please read Note 1218695.1  Master Note for SSL Configuration in Fusion Middleware 11g
Make sure you have read Note 1218603.1 Understanding Wallets and Keystores in Fusion Middleware 11g/12c before following this article.

This note should be followed for creating a Java KeyStore for WebLogic Server (WLS) , SOA, WebCenter, Directory Intergration and Provisioning (DIP), and Oracle Directory Server Manager (ODSM).
To create a keystore for Oracle Virtual Directory refer to: 7.3.3.1 Creating a Keystore Using Fusion Middleware Control or 7.3.3.2 Creating a Keystore Using WLST

FMW 12c
This Note is part of a number of articles written for SSL Configuration in FMW 12c.
Please read Note 1628909.1 Master Note for SSL Configuration in Fusion Middleware 12c
Make sure you have read Note 1218603.1 Understanding Wallets and Keystores in Fusion Middleware 11g/12c before following this article.




How To Create a Java Keystore via Keytool in FMW 11g/12c

All the commands below reference $MIDDLEWARE_HOME for FMW 11g. If using FMW 12c, replace $MIDDLEWARE_HOME with $ORACLE_HOME.

1. Create a directory, for example: $MIDDLEWARE_HOME/keystores
2. Run the following to set the environment on UNIX:

cd $MIDDLEWARE_HOME/user_projects/domains/<domain>/bin
> . ./setDomainEnv.sh

Or on Windows:

cd %MIDDLEWARE_HOME%\user_projects\domains\<domain>\bin
setDomainEnv.cmd

3. Create a keystore and private key, by executing the following command:

keytool -genkey -alias <alias> -keyalg RSA -keysize 1024 -sigalg SHA256withRSA -dname <dn> -keypass <password> -keystore <keystore> -storepass <password>

For example:

$MIDDLEWARE_HOME/keystores> keytool -genkey -alias server_cert -keyalg RSA -keysize 1024 -sigalg SHA256withRSA -dname "CN=server.uk.oracle.com,OU=Support,O=Oracle,L=Reading,ST=Berkshire,C=GB" -keypass welcome -keystore keystore.jks -storepass welcome

where server.uk.oracle.com is the host.domain of the server.

Important: The above is an EXAMPLE. You may edit all of the parameters according to what is allowed by the tool and as in Oracle Documentation for your version.

Make sure you take note of the -alias, -keypass, and -storepass parameters as these will be required later in the process.

4. At this point take a backup of the keystore e.g: keystore.jks
5. To view the contents of the keystore created, execute the following command:

keytool -list -v -keystore <keystore> -storepass <password>

For example:

keytool -list -v -keystore keystore.jks -storepass welcome
$MIDDLEWARE_HOME/keystores> keytool -list -v -keystore keystore.jks -storepass welcome

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server_cert
Creation date: Sep 13, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB
Issuer: CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB
Serial number: 4c8e1ad5
Valid from: Mon Sep 13 13:36:37 BST 2010 until: Sun Dec 12 12:36:37 GMT 2010
Certificate fingerprints:
MD5: 1A:4A:3B:42:7E:BD:94:65:67:0E:9B:02:28:90:D6:A8
SHA1: C1:53:48:50:EB:F1:FD:A0:DC:28:9F:EF:3B:C8:FB:22:82:9F:8E:EE
Signature algorithm name: SHA256withRSA
Version: 3


*******************************************
*******************************************

If you are happy using a self signed certificate then this keystore is enough and you can move to step 12. otherwise if you need a proper certifictate signed by a real CA continuw below.


6. Create a Certificate Signing Request (CSR) using the following command:

keytool -certreq -v -alias <alias> -file <filename> -sigalg SHA256withRSA -keypass <password> -storepass <password> -keystore <keystore>

For example:

MIDDLEWARE_HOME/keystores/> keytool -certreq -v -alias server_cert -file server.csr -sigalg SHA256withRSA -keypass welcome -storepass welcome -keystore keystore.jks

Make sure you use the same -alias, -storepass and -keypass passwords from Step 3.

The CSR (server.csr) created looks like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtzCCASACAQAwdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA
4GA1UEBxMHUmVhZGluZzEPMA0GA1UEChMGT3JhY2xlMRAwDgYDVQQLEwdTdXBwb3J0
MR8wHQYDVQQDExZtYXJzaGFsbC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBA
QUAA4GNADCBiQKBgQCEopgMZp1lI6jWXxb1rM1kWIc1l8bhiV/0UTcsdKzeaSHxbO
SLO3Ed9kxNWAZgXaR9f5FBlwRJ+IR163e64v3SplHenxHfVRaHYWPZx4KlJz/6p
Yd1fAlF0PdQm1DNoFtKmCHVk/cRuvGRpsp38l7K2mYlyQ+GxH38llS7g3owIDAQAB
oAAwDQYJKoZIhvcNAQEFBQADgYEAD/sG1+rSI76OjihHg3WezT+VIbSRJxyly9nbx
4uwXbDHh8DGgQLAXV51C9ioaMrm+dM0eygVDDMESXFxvJiYipS/pphgYt1xDBgnEH
GcNiX3BnTaLNtzYlc5eAMsmbDlpk/qOxvQiH3bKN+UKYQlBXJZWPL6FusXu2LMTrk
zsY=
-----END NEW CERTIFICATE REQUEST-----

7. Send this CSR to a Certificate Authority (CA) of your choice.

8. Once you have received the Certificate back you will need to import this along with the Trusted Root CA certificate(s) that signed it, into your keystore.

Note: If you are unsure what the correct Trusted Certificates are, the see Note 1368940.1 How To Identify The Correct Trusted Root Certificate Authority Certificate(s) for a User Certificate?


Take the server certificate and save it a file called server.cer. Take the Certificate Authority's root certificate and save to a file called rootCA.cer in your keystore directory e.g $MIDDLEWARE_HOME/keystores. Repeat this step for any more Root CA certificates in the chain e.g rootCA2.cer etc..

9. Import the CA's root certificate into your keystore using the following command:

keytool -import -v -noprompt -trustcacerts -alias <alias>
-file <rootca_file> -keystore <keystore> -storepass <password>

For example:

$ORACLE_MIDDLEWARE/keystores> keytool -import -v -noprompt -trustcacerts -alias rootcacert
-file rootCA.cer -keystore keystore.jks -storepass welcome

Certificate was added to keystore
[Storing keystore.jks]

Repeat this for each Root CA certificate in the chain, and use a different alias each time.

10. Import the Server Certificate into your keystore using the following command:

keytool -import -v -alias <alias> -file <server_cert_file> -keystore <keystore> -keypass <password> -storepass <password>

For example:

$MIDDLEWARE_HOME/keytores> keytool -import -v -alias server_cert -file server.cer -keystore keystore.jks -keypass welcome -storepass welcome
Certificate reply was installed in keystore
[Storing keystore.jks]

Make sure you use the same -alias from Step 3.

11. To view the contents of the keystore, execute the following command:

keytool -list -v -keystore keystore.jks -storepass welcome

For example:

$MIDDLEWARE_HOME/keystores> keytool -list -v -keystore keystore.jks -storepass welcome

Alias name: rootcacert
Creation date: Sep 13, 2010
Entry type: trustedCertEntry

Owner: CN=SSL Training CA, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB
Issuer: CN=SSL Training CA, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB
Serial number: c47f4774c2ef014c
Valid from: Fri Jan 09 10:27:18 GMT 2009 until: Mon May 26 11:27:18 BST 2036
Certificate fingerprints:
MD5: E9:24:39:56:DE:34:44:DB:46:93:45:93:8E:82:66:AC
SHA1: 17:39:92:C0:43:9B:28:F3:C2:54:55:9B:5E:97:CA:EE:71:5D:9C:26
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 57 BA 54 BB 9B C0 38 9A 71 AA 28 82 23 4B 08 gW.T...8.q.(.#K.
0010: 72 B9 FC C1 r...
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false

[CN=SSL Training CA, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB]
SerialNumber: [ c47f4774 c2ef014c]
]

*******************************************
*******************************************

Alias name: server_cert
Creation date: Sep 13, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire,
C=GB
Issuer: CN=SSL Training CA, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB
Serial number: e
Valid from: Mon Sep 13 14:02:00 BST 2010 until: Sat Sep 22 14:02:00 BST 2012
Certificate fingerprints:
MD5: CB:B8:07:32:22:B5:76:78:44:BB:94:D2:CE:EF:A3:CA
SHA1: 1E:3E:C6:BC:17:EB:43:50:19:01:0B:11:50:D8:23:60:21:B2:57:3E
Signature algorithm name: SHA256withRSA
Version: 1
Certificate[2]:
Owner: CN=SSL Training CA, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB
Issuer: CN=SSL Training CA, OU=Support, O=Oracle, L=Readin g, ST=Berkshire, C=GB
Serial number: c47f4774c2ef014c
Valid from: Fri Jan 09 10:27:18 GMT 2009 until: Mon May 26 11:27:18 BST 2036
Certificate fingerprints:
MD5: E9:24:39:56:DE:34:44:DB:46:93:45:93:8E:82:66:AC
SHA1: 17:39:92:C0:43:9B:28:F3:C2:54:55:9B:5E:97:CA:EE:71:5D:9C:26
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 57 BA 54 BB 9B C0 38 9A 71 AA 28 82 23 4B 08 gW.T...8.q.(.#K.
0010: 72 B9 FC C1 r...
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 67 57 BA 54 BB 9B C0 38 9A 71 AA 28 82 23 4B 08 gW.T...8.q.(.#K.
0010: 72 B9 FC C1 r...
]

[CN=SSL Training CA, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB]
SerialNumber: [ c47f4774 c2ef014c]
]

*******************************************
*******************************************

12. At this point the keystore is now ready for use. To use this Keystore with WLS please refer back to the Master Note for your version:
Note 1218695.1 Master Note for SSL Configuration in Fusion Middleware 11g
or 
Note 1628909.1    Master Note for SSL Configuration in Fusion Middleware 12c

 

Return to Blog