Article Purpose: This step-by-step article provides instructions to backing up your certificate in Weblogic BEA. If this is not the solution you are looking for, please search for your solution using the search bar above.
- Part 1 goes over the correct location of the private key and certificate files. It shows how to get the root certificate from the signed certificate file.
- Part 2 goes over password protecting the private key using the wlkeytool.exe utility.
- Part 3 goes over setting up SSL on WLS 7.0/8.1.
- If you are migrating your certificates from WLS 5.1/6.0/6.1 to WLS 7.0/8.1 you will need to follow the detailed steps outlined in all three sections.
- If you are migrating your certificates from WLS 7.0 to 8.1, you only need to follow the detailed steps outlined on Part 3.
You will need to copy your private key and signed certificate to your new WLS 7.0/8.1 domain. Once you do that, you will need to get the root certificate out of the signed certificate, as this is needed for SSL configuration. Note: The directions below only work on a Windows machine. Please follow the steps below and then copy the root certificate file from a Windows machine to your intended target, if it is a different platform.
- Make a copy of the signed certificate file, and give it a .der extension instead of .pem. The signed certificate file should be the one with -cert.pem in the name. The full name can stay the same. Only change the extension.
- Double click the new www_my_certificate-cert.der file to open the Certificates window.
- Go to the Certification Path tab in the Certificates window.
- On the Certification Path field, click on the top most certificate entry, as this is root certificate.
- Click the View Certificate Button at the bottom of the field.
- A new Certificate window will pop up for the root certificate. Click on the Details tab.
- Click the Copy to File button at the bottom.
- Click Next.
- Choose the second option named Base-64 encoded X.509 .CER), and click the Next button.
- Click the Browse button, and find the location of your domain, or the location of your signed certificate file. Give the file a new name; for example, name it root_ca.cer, in the File name: field, and press the Save button.
- Click Next. Click Finish.
- Click the OK button to exit the Certificate windows.
- Now that you have the root certificate file, copy it to the intended target domain if it is in a different machine and then you have completed Part 1.
In this section you will use a several WebLogic Server utilities to convert the private key file, and then protect it with a password. The utilities are: utils.der2pem, utils.pem2der, and wlkeytool.exe.
The wlkeytool.exe utility in WebLogic Server is used to password protect private keys that were previously unprotected. These private keys were usually generated to work with WLS 5.1/6.0/6.1.
The wlkeytool.exe utility only accepts text based private keys, those with .pem extension, and the private key file has to contain the correct header and footer. Please follow the steps outlined below to password protect your private key.
- Please run the setEnv.sh/cmd script to set the environment variables. Your WLS domain will have this file.
- Only follow this step if your private key is binary based, where the file has a .der extension. Otherwise, please go to the next step.
java -classpath /full/qualified/path/weblogic.jar utils.der2pem /full/qualified/path/input_private_key.der
The utils.der2pem is a WLS utility that will make the conversion of your binary private key to text.
- As you can see, make sure the file contains the header and footer mentioned above. Also, please double check that before the header and after the footer there are no extra carriage returns or extra spaces.
Now that you are working with a text based private key file, make sure that you have the correct header and footer. Open your private key file in any text editor. Be sure to include the beginning and end tags:
-----BEGIN RSA PRIVATE KEY-----.
-----END RSA PRIVATE KEY-----
As you can see, make sure the file contains the header and footer mentioned above. Also, please double check that before the header and after the footer there are no extra carriage returns or extra spaces.
- Your unprotected private key file is now ready to be password protected using the wlkeytool.exe utility. You can find this utility in the directory:
To use this tool:
wlkeytool.exe /full/qualified/path/input_file.pem /full/qualified/path/output_file.pem.
You will replace the input_file.pem parameter with your private key name. You can name the output file anything you wish, as long as it has the same .pem extension. Usually we recommend using pw_input_file.pem, so you know that it maintains the same naming convention as the input file, but adding pw_ to it, allows you to differentiate that this file is password protected. This is only a recommendation. Please rename the output file as you wish.
Once you press Enter to run the utility, the first question you will be presented with is for the password to un-protect the private key. Now, since the input file private key is not protected, all you need to do is press Enter without entering any characters.
The following question you will be asked is for the password to protect the private key. Here is where you enter the password you wish to use to protect the private key. Once you do so you can press Enter. The final question is to verify the password you entered. Just re-enter the password you wish to use to protect the private key once more, and then press Enter.
- Now that we have the password protected private key, we have to convert it back to binary, so it can be used by WLS. We do this using the following command:
java -classpath /full/qualified/path/weblogic.jar utils.pem2der /full/qualified/path/pw_signed_certificate-cert.pem
You are now done with Part 2 and your private key is password protected.
You now have the password protected private key, the signed certificate, and the root certificate. This is all that is needed to migrate your certificates. Please follow steps outlined below to setup SSL on WLS 7.0/8.1.
- You will need to edit your WLS 7.0/8.1 startup scripts, Admin and Managed Servers, to include the following parameter:
This parameter must be added to any server instance startup script that will be using the certificates being migrated. Please enter the password used to protect the private key using the wlkeytool.exe utility after the equal =) sign.
- If you are using WLS 8.1, please proceed to step 3. If you are setting up SSL for WLS 7.0, please follow the step outlined here.
Please make a backup copy of your domain's config.xml file. If you make a mistake, you can always get back to the original setup. You will need to edit your 'config.xml' file to include the following parameters:
KeyEncrypted, ServerCertificateChainFileName, ServerCertificateFileN
Here is an excerpt example of how they would look like correctly configured:
<SSL Enabled="true" KeyEncrypted="true" ...
- If you are using WLS 7.0 please see step 2. If you are setting up SSL for WLS 8.1, please follow step outlined here.
Please make a backup copy of your domain's config.xml file. If you make a mistake, you can always get back to the original setup. You will need to edit your 'config.xml' file to include the following parameters: KeyEncrypted, ServerCertificateChainFileName, ServerCertificateFileName, ServerKeyFileName, IdentityAndTrustLocations
Here is an excerpt example of how they would look like correctly configured:
<SSL Enabled="true" KeyEncrypted="true" IdentityAndTrustLocations="FilesOrKeyStoreProviders" ...