Configuring Identity and Trust 11-5

11.4.1 Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates

You have multiple choices for obtaining private keys, digital certificates, and trusted CA certificates for your WebLogic Server environment. When choosing, note the following considerations: ■ You can obtain keys, certificates, and trusted CA artifacts from the CertGen utility, the keytool utility, or a reputable vendor such as Entrust or Symantec Corporation. However, for a production environment, you should obtain private keys and digital certificates only from a reputable certificate authority such as Entrust or Symantec Corporation. ■ You can also use the digital certificates, private keys, and trusted CA certificates provided by WebLogic Server. However, these should be used in a development environment only. This section describes the tools and methods for obtaining keys, certificates, and trusted CA certificates. The following topics are included: ■ Section 11.4.1.1, Using the Keytool Utility ■ Section 11.4.1.2, Using the CertGen Utility ■ Section 11.4.1.3, Using Your Own Certificate Authority ■ Section 11.4.1.4, Converting a Microsoft p7b Format to PEM Format ■ Section 11.4.1.5, Obtaining a Digital Certificate for a Web Browser ■ Section 11.4.1.6, Using Certificate Chains Deprecated

11.4.1.1 Using the Keytool Utility

Keytool is a key and certificate management utility. It allows users to administer their own publicprivate key pairs and associated certificates for use in self-authentication where the user authenticates himselfherself to other usersservices or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys in the form of certificates of their communicating peers. For an example of using keytool to obtain key pairs, a self-signed server certificate, and a trusted CA certificate, see Section 11.5, Creating a Keystore: An Example. For complete details about keytool, see keytool — Key and Certificate Management Tool at http:download.oracle.comjavase6docstechnotestoolswindows keytool.html Table 11–1 lists keytool commands commonly used for creating and using JKS keystores with WebLogic Server. In this table, brackets surrounding an option signify that the user is prompted for the values if the option is not specified on the command line. Note: When you use the keytool utility, the default key pair generation algorithm is Digital Signature Algorithm DSA. WebLogic Server does not support DSA. Specify another key pair generation and signature algorithm when using WebLogic Server. 11-6 Securing Oracle WebLogic Server Caution: Although the keytool command includes options for specifying passwords, which are described in Table 11–1 , you should never include unencrypted passwords in command lines. Instead, you should allow keytool to prompt you for any required passwords after you enter the command, as in the following example. User input is shown in bold. C:\DOMAIN_NAMEkeytool -genkeypair -keystore MyKeyStore Enter keystore password: Re-enter new password: Unlike passwords that are specified in command-line options, passwords entered in response to prompts are not echoed in the command window, and are not captured in logs, which allows for secure password input. Table 11–1 Commonly Used keytool Commands Command Description keytool -genkeypair -keystore keystorename -storepass keystorepassword Generates a key pair a public key and associated private key and self-signed digital certificate in a keystore. If the keystore does not exist, it is created. keytool -importcert -alias aliasforprivatekey -file privatekeyfilename.pem -keyfilepass privatekeypassword -keystore keystorename -storepass keystorepassword Updates the self-signed digital certificate with one signed by a trusted CA. keytool -importcert -alias rootCA -trustcacerts -file RootCA.pem -keystore trust.jks -storepass keystorepassword keytool -importcert -alias intermediate -trustcacerts -file Intermediate.pem -keystore keystorename -storepass keystorepassword Creates a custom keystore to be used for holding an intermediate CA certificate. ■ The first keytool command creates the keystore, trust.jks, which holds the root CA certificate. ■ The second keytool command imports the intermediate CA certificate into trust.jks. This enables WebLogic Servers SSL implementation to transmit the intermediate certificate with the servers public certificate to the client during the SSL handshake. keytool -importcert -alias aliasfortrustedca -trustcacerts -file trustedcafilename.pem -keystore keystorename -storepass keystorepassword Loads a trusted CA certificate into a keystore. If the keystore does not exist, it is created. keytool -certreq -alias alias -sigalg sigalg -file certreq_file -keyfilepass privatekeypassword -storetype keystoretype -keystore keystorename -storepass keystorepassword Generates a Certificate Signing Request CSR, using the PKCS10 format, and a self-signed certificate with a private key. Stores the CSR in the specified certreq_file, and the certificateprivate key pair as a key entry in the specified keystore under the specified alias. keytool -list -keystore keystorename Displays the contents of the keystore. keytool -delete -keystore keystorename -storepass keystorepassword -alias privatekeyalias Deletes the entry identified by the specified alias from the keystore. keytool -help Provides online help for keytool. Configuring Identity and Trust 11-7

11.4.1.2 Using the CertGen Utility