Back up your SSL certificate: Weblogic BEA

We recommended you backup your certificate and its corresponding private key in the event that there is a hardware failure or other disaster affecting your Server, the following instructions will show you how. These instructions will also help you export your certificate from one web server and import the certificate and its private key to another web server.

Part 1 goes over the correct location of the private key and certificate files. It shows how to get the root certificate from the signed certificate file.

Part 2 goes over password protecting the private key using the wlkeytool.exe utility.

Part 3 goes over setting up SSL on WLS 7.0/8.1.

If you are migrating your certificates from WLS 5.1/6.0/6.1 to WLS 7.0/8.1 you will need to follow the detailed steps outlined on all three sections.

If you are migrating your certificates from WLS 7.0 to 8.1, you only need to follow the detailed steps outlined on Part 3.

Part 1

You will need to copy your private key and signed certificate to your new WLS 7.0/8.1 domain. Once you do that, you will need to get the root certificate out of the signed certificate, as this is needed for SSL configuration.

Please note: The directions below only work on a Windows machine. Please follow the steps below, and then copy the root certificate file from a Windows machine to your intended target, if it is a different platform.

1

Make a copy of the signed certificate file, and give it a '.der' extension instead of '.pem'. The signed certificate file should be the one with '-cert.pem' in the name. The full name can stay the same. Only change the extension.

2

Double click the new 'www_my_certificate-cert.der' file to open the Certificates window.

3

Go to the Certification Path tab in the Certificates window.

4

On the Certification Path field, click on the top most certificate entry, as this is root certificate.

5

Click the View Certificate button at the bottom of the field.

6

A new Certificate window will pop up, for the root certificate. Click on the Details tab.

7

Click the Copy to File... button at the bottom.

8

Click Next.

9

Choose the second option named Base-64 encoded X.509 .CER) and click the Next button.

10

Click the Browse... button, and find the location of your domain, or the location of your signed certificate file. Give the file a new name; for example, name it 'root_ca.cer', in the File name: field, and press the Save button.

11

Click Next. Click Finish.

12

On the Certificate windows, just click the OK button to exit them.

Now that you have the root certificate file, copy it to the intended target domain if it is in a different machine, and our section 1 task is complete.

Part 2

In this section you will use a couple of WebLogic Server's utilities to convert the private key file, and then password protect it.

The utilities are: utils.der2pem, utils.pem2der, and wlkeytool.exe.

The wlkeytool.exe utility in WebLogic Server is used to password protect private keys that were previously unprotected. These private keys were usually generated to work with WLS 5.1/6.0/6.1.

The wlkeytool.exe utility only accepts text based private keys, those with '.pem' extension, and the private key file has to contain the correct header and footer.

Please follow the steps outlined below to password protect your private key:

1

Please run the 'setEnv.sh/cmd' script to set the environment variables. Your WLS domain will have this file.

2

Only follow this step if your private key is binary based, where the file has a '.der' extension. Otherwise, please go to the next step. If you have a '.der' private key file, which is binary based, you must change it to text based. You can run the following command to make that conversion:

java -classpath /full/qualified/path/weblogic.jar utils.der2pem /full/qualified/path/input_private_key.der

The 'utils.der2pem' is a WLS utility that will make the conversion of your binary private key to text.

3

Now that you are working with a text based private key file, make sure that you have the correct header and footer. Open your private key file in any text editor, and make sure to add the following header and footer:

-----BEGIN RSA PRIVATE KEY-----

... here you make sure to have the actual private key alphanumeric characters ...

-----END RSA PRIVATE KEY-------

As you can see, make sure the file contains the header and footer mentioned above. Also, please double check that before the header and after the footer there are no extra carriage returns or extra spaces.

4

Your unprotected private key file is now ready to be password protected using the wlkeytool.exe utility. You can find this utility in your '%WLS_Installation%/weblogic700_or_81/server/bin' directory.

Usage for this tool is:

wlkeytool.exe /full/qualified/path/input_file.pem /full/qualified/path/output_file.pem.

You will replace the input_file.pem parameter with your private key name. You can name the output file anything you wish, as long as it has the same '.pem' extension. Usually we recommend using 'pw_input_file.pem', so you know that it maintains the same naming convention as the input file, but adding 'pw_' to it, allows you to differentiate that this file is password protected. This is only a recommendation. Please rename the output file as you wish.

Once you press 'Enter' to run the utility, the first question you will be presented with is for the password to un-protect the private key. Now, since the input file private key is not protected, all you need to do is press Enter without entering any characters.

The following question you will be asked is for the password to protect the private key. Here is where you enter the password you wish to use to protect the private key. Once you do so you can press Enter. The final question is to verify the password you entered. Just re-enter the password you wish to use to protect the private key once more, and then press Enter.

5

Now that we have the password protected private key, we have to convert it back to binary, so it can be used by WLS. We do this using the following command:

java -classpath /full/qualified/path/weblogic.jar utils.pem2der /full/qualified/path/pw_signed_certificate-cert.pem

You are now done, and your private key is password protected.

Part 3

You now have the password protected private key, the signed certificate, and the root certificate. This is all that is needed to migrate your certificates.

Please follow steps outlined below to setup SSL on WLS 7.0/8.1:

1

You will need to edit your WLS 7.0/8.1 startup scripts, Admin and Managed Servers, to include the following parameter:

-Dweblogic.management.pkpassword=

This parameter must be added to any server instance startup script that will be using the certificates being migrated. Please enter the password used to protect the private key using the wlkeytool.exe utility after the equal (=) sign.

2

If you are using WLS 8.1, please proceed to step 3.

If you are setting up SSL for WLS 7.0, please follow the step outlined here:

Please make a backup copy of your domain's config.xml file. If you make a mistake, you can always get back to the original setup. You will need to edit your 'config.xml' file to include the following parameters:

KeyEncrypted, ServerCertificateChainFileName, ServerCertificateFileName, ServerKeyFileName

Here is an excerpt example of how they would look like correctly configured:

<SSL Enabled="true" KeyEncrypted="true" ...

ServerCertificateChainFileName="/full/qualified/path/your_domain/root_certificate.cer"

ServerCertificateFileName="/full/qualified/path/your_domain/signed_certificate-cert.pem"

ServerKeyFileName="/full/qualified/path/your_domain/pw_private-key.der"

...

/>

3

If you are using WLS 7.0 please see step 2. If you are setting up SSL for WLS 8.1, please follow step outlined here:

Please make a backup copy of your domain's config.xml file. If you make a mistake, you can always get back to the original setup. You will need to edit your 'config.xml' file to include the following parameters:

KeyEncrypted, ServerCertificateChainFileName, ServerCertificateFileName, ServerKeyFileName, IdentityAndTrustLocations

Here is an excerpt example of how they would look like correctly configured:

<SSL Enabled="true" KeyEncrypted="true" IdentityAndTrustLocations="FilesOrKeyStoreProviders" ...

ServerCertificateChainFileName="/full/qualified/path/your_domain/root_certificate.cer"

ServerCertificateFileName="/full/qualified/path/your_domain/signed_certificate-cert.pem"

ServerKeyFileName="/full/qualified/path/your_domain/pw_private-key.der"

Answer options

Your feedback was successfully added.

Answer tracking

Track

Watch the content of this article for changes.