This document provides instructions for installing SSL certificate on BEA Weblogic Server 8.0 -10.0.
Step 1. Download the SSL Certificate & Intermediate CA Certificate
- Download your certificate from the unique secure link we provide your technical contact via order fulfillment email.
- The ZIP file you downloaded contains the following certificates:
- SSL certificate (i.e. ssl_certificate.pem, also known as end entity certificate, public key certificate, digital certificate or identity certificate).
- Intermediate CA certificate (i.e. IntermediateCA.pem, also known as chained certificate or signer/issuer of the SSL certificate).
- Unzip the files onto the server where you will install the certificate.
- Open the Intermediate CA file, copy the content and paste it right below the SSL certificate.
- The SSL certificate file looks like this when completed:
(Intermediate CA certificate)
- Provide a name and save the SSL certificate file (e.g. ssl_certificate.pem) on the server.
Step 2: Install the SSL certificate
- Using the java keytool command line utility, import the pem file you created in step 1 into the keystore named mykeystore in the working directory. At the command prompt, enter:
keytool -import -alias tomcat -keystore /path_to_keystore/mykeystore -file ssl_certificate.pem
NOTE: The command should be typed on one line. Your keystore path and name may be different.
If you are unable to use these instructions for your server, Symantec recommends that you contact either the vendor of your software or an organization that supports Oracle Weblogic server.
Step 3: Configure the SSL certificate and trust keystores for WebLogic server
- In the Weblogic console, on the left pane, expand Environment option and select Servers.
- Click the name of the server for which you want to configure the identity and trust keystores. Select Configuration > Keystores.
- In the Keystores field, select the method for storing and managing private keys/digital certificate pairs and trusted CA certificates. These options are available:
- Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the
BEA_HOME\server\lib directory and the JDK
cacerts keystore, are configured by default. Use for development only.
- Custom Identity and Java Standard Trust: A keystore you create and the trusted CAs defined in the
cacerts file in the
- Custom Identity and Custom Trust: Identity and trust keystores you create.
- Custom Identity and Command Line Trust: An identity keystore you create and command-line arguments that specify the location of the trust keystore.
- In the Identity section, define attributes for the identity keystore.
- Custom Identity Keystore: The fully qualified path to the identity keystore.
- Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if left blank, it defaults to JKS.
- Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
NOTE: The passphrase for the Demo Identity keystore is
- In the Trust section, define properties for the trust keystore.
- If you chose Java Standard Trust as your keystore, specify the password defined when creating the keystore. Confirm the password.
- If you chose Custom Trust, define the following attributes:
- Custom Trust Keystore: The fully qualified path to the trust keystore.
- Custom Trust Keystore Type: The type of the keystore. Generally, this attribute is JKS; if left blank, it defaults to JKS.
- Custom Trust Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
- Click Save.
- To activate these changes, in the Change Center of the Administration Console, click Activate Changes
NOTE: Not all changes take effect immediately—some require a restart.
All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. To ensure that all the SSL connections exist according to the specified configuration, you must reboot WebLogic Server.
Use the Restart SSL button on the Control: Start/Stop page to restart the SSL server when changes are made to the keystore files and need to be applied for subsequent connections without rebooting WebLogic Server.
Step 4: Verify certificate installation
Verify your installation with the DigiCert Installation Checker
For additional information, see BEA Weblogic Support website.