After much hell, I’ve finally managed to get one-way SSL configured on BEA Weblogic. Normally this is a trivial task however our good friend Keytool has made this more fun than I wanted it to be. Not sure but I think I might like the old way of doing it with the files, while less secure; it’s not so much a PITA.

The process is pretty simple once you get keytool down pat. Here’s a summary:

1. Create the cert request, an identity & send request to CA
2. Create a custom trust keystore and load the rootCA and intermediateCA into it
3. Load the signed cert into the identity store created above
4. Configure weblogic

Let’s get going!

1. Open a command line window and navigate to the domain root [x:\bea\user_projects\domains\domain] and run this:
setEnv.cmd

2. Use Keytool to generate a cert request and identity keystore, this keystore will store the private key and eventually, the signed certificate you will recieve from your CertificateAuthority, this is where your actual SSL cert will eventually live
keytool -genkey -alias identity -keyalg RSA -keysize 1024 -dname "CN=www.yourdomain.com, OU=Department, O=Company, L=City, S=State, C=Country" -keypass [key_password] -keystore [path\to\keystore.jks] -storepass [keystore_password]

3. Next, generate a certificate request based on the above private key
keytool -certreq -alias identity -sigalg "MD5withRSA" -file [path\to\put\certreq.pem] -keypass [key_password] -keystore [path\to\keystore.jks] -storepass [keystore_password]

4. Go get the .pem file generated by step 3 and send it to a Certification Authority (CA). You will get a response by email with your cert as well as instructions on how to get the root and intermediate (if required) certificate. When you download them, save the root and intermediate (if required) with a .cer extension.

5. Rename the certificate from the CA to a .pem extension

6. Run the following command to create the custom trust with your CA’s root and intermediate (if required):
keytool -import -alias rootca -trustcacerts -file [path\to\rootcacert.cer] -keystore [path\to\new\customtrust.jks] -storepass [keystore_password]

if you need to use an intermediate then do this too, otherwise skip to # 7

keytool -import -alias intermediateca -trustcacerts -file [path\to\intermediatecacert.cer] -keystore [path\to\new\customtrust.jks] -storepass [keystore_password]

7. Hit enter. It MAY prompt to trust this certificate. Say “Yes” Or, it may say it’s already trusted, that’s ok just trust it again.

8. Now import the signed certificate provided by your CA into your identity keystore
keytool -import -trustcacerts -alias identity -file [path\to\your\cert.pem] -keypass [key_password] -keystore [path\to\your\keystore.jks] -storepass [keystore_password]

9. Hit enter. It MAY prompt to trust this certificate. Say “Yes”

10. Start weblogic server and configure SSL

11. Configure SSL in weblogic console.
- Enable SSL listen port
- Configure any channels you may need
- Setup SSL using “Custom Identity and Custom Trust”

If you’re fairly competent with WLS, you should know how the rest goes… ENJOY!