Jun 072012


There are two ways to generate certificates for WebLogic Server.

1. CA Signed Certs

CA Signed certificates are recommended. Some wellknown Certificate Authorities (CAs) are listed below:


2. Self-Signed Certs

Self-Signed Certificates are meant to secure the communication between servers and WebLogic Server components, such as Node Manager.

Below are steps for creating and using Self-Signed Certificates in WebLogic Server.

Below are the locations and passwords assumed.

Certificates will be located at: /opt/ssl/tmp

Generate the certificate for the machine where the remote Node Manager is.


Create a Directory. For example:
mkdir /opt/ssl/tmp
Get into the directory. For example:
cd /opt/ssl/tmp
Run the following keytool command:

keytool -genkey -alias selfsignedcert -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365

Expected output:
What is your first and last name?
[Unknown]: tp.techpaste.com => Machine name
What is the name of your organizational unit?
[Unknown]: Support => Organizational Unit
What is the name of your organization?
[Unknown]: TechPaste => Organization
What is the name of your City or Locality?
[Unknown]: Boston => City
What is the name of your State or Province?
[Unknown]: Massachusetts => State
What is the two-letter country code for this unit?
[Unknown]: US => Country code
Is CN=tp.techpaste.com, OU=Support, O=TechPaste, L=Boston, ST=Massachusetts, C=CL correct?
[no]: yes
Export the certificate from the identity keystore into a file, for example root.cer:

keytool -export -alias selfsignedcert -file root.cer -keystore identity.jks

Expected Output:
Enter keystore password: <password>
Certificate stored in file <root.cer>
Import the certificate you exported into trust.jks.
keytool -import -alias selfsignedcert -trustcacerts -file root.cer -keystore trust.jks
Expected Output:
Enter keystore password:
Re-enter new password:
Owner: CN=tp.techpaste.com, OU=Support, O=Oracle, L=Boston, ST=Massachusetts, C=CL
Issuer: CN=tp.techpaste.com, OU=Support, O=Oracle, L=Boston, ST=Massachusetts, C=CL
Serial number: 4e1b67e3
Valid from: Mon Jul 11 17:15:15 CLT 2011 until: Tue Jul 10 17:15:15 CLT 2012
Certificate fingerprints:
MD5: 74:EC:1E:90:05:EC:E6:49:62:52:B9:72:20:BF:30:3F
SHA1: 5C:6E:80:94:9C:72:15:DC:F7:5F:49:DD:2F:2B:D2:49:7C:4C:0C:A0
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Repeat these steps on each machine that has a Node Manager.


Log into the WLS Administration Console.
Go to Environment -> Domain -> Servers -> Admin Server.
Go to the Keystores tab and click on change.
Select Custom Identity and Custom Trust.
Fill in the fields with the following information:

Custom Identity Keystore: /opt/ssl/tmp/identity.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: password
Confirm Custom Identity Keystore Passphrase: password
Custom Trust Keystore: /opt/ssl/tmp/trust.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: password
Confirm Custom Trust Keystore Passphrase: password
Save configuration and click on activate changes if necessary.
On the SSL Tab, fill in the files with the following information:

Private Key Alias: selfsignedcert
Private Key Passphrase: privatepassword
Confirm Private Key Passphrase: privatepassword


Modify nodemanager.properties. Insert the following lines at the end:



There might be a chance that when attempting to start a server using node manager, it fails with a security exception (BAD CERTIFICATE error for example).

If this is the case, configure node manager to use SSL instead of plain connection by going:

– Environment > Machines

– Select machine to configure

– Go to configuration > Node Manager and flip it to SSL




NOTE: Disabling hostname verification is not recommended on production environments. This is only recomended for testing purposes.

The hostname verification ensures that the hostname in the URL to which the client connects matches the hostname in the digital certificate that the server sends back as part of the SSL connection.

To disable hostname verification for testing purposes, follow these steps:

Go to Environment -> Domain -> Servers -> Admin Server.

Click on the SSL tab.

Click on Advanced.

On Hostname Verification, select NONE.

Save and activate changes.

On the Node Manager startup script, look for JAVA. Add the line


After this change, the script should look like this:

"${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" weblogic.NodeManager -v


© Incase of any copyright infringements please check copyrights page for faster resolutions.

  4 Responses to “How to create self signed certificate in Weblogic”

  1. very useful information.

  2. Hi
    any one please reply.
    can explain with example.

    if two managed servers is there Same Domain is configured in both servers, but one server is crashed then how can you create a domain with the same configuration?

Leave a Reply

Show Buttons
Hide Buttons