Create Java Keystore in Fusion Middleware

Oracle Fusion Middleware

 

1. Create a directory, for example: $MIDDLEWARE_HOME/keystores

2. Run the following to set the environment:

cd $MIDDLEWARE_HOME/user_projects/domains/<domain>/bin
> ../setDomainEnv.sh

3. Create a keystore and private key, by executing the following command:

keytool -genkey -alias <alias> -keyalg RSA -keysize 1024 -dname <dn> -keypass <password> -keystore <keystore> -storepass <password>

For example:

$MIDDLEWARE_HOME/keystores> keytool -genkey -alias server_cert -keyalg RSA -keysize 1024 -dname “CN=server.us.oracle.com,OU=Support,O=TechPaste,L=REDWOOD,ST=CA,C=USA” -keypass welcome -keystore keystore.jks -storepass welcome

where server.us.techpaste.com is the host.domain of the server.

Make sure you take note of the -alias, -keypass, and -storepass parameters as these will be required later in the process.

4. At this point take a backup of the keystore e.g: keystore.jks

5. To view the contents of the keystore created, execute the following command:

keytool -list -v -keystore <keystore> -storepass <password>

For example:

$MIDDLEWARE_HOME/keystores> keytool -list -v -keystore keystore.jks -storepass welcome

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server_cert
Creation date: Sep 13, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=server.us.techpaste.com, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA
Issuer: CN=server.us.techpaste.com, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA
Serial number: 14c8e1ad5
Valid from: Mon Sep 13 13:36:37 BST 2012 until: Sun Dec 12 12:36:37 GMT 2012
Certificate fingerprints:
MD5: 1A:4A:3B:42:7E:BD:94:65:67:0E:9B:02:28:90:D6:A8
SHA1: C1:53:48:50:EB:F1:FD:A0:DC:28:9F:EF:3B:C8:FB:22:82:9F:8E:EE
Signature algorithm name: SHA1with RSA
Version: 3
*******************************************
*******************************************


6. Create a Certificate Signing Request (CSR) using the following command:

keytool -certreq -v -alias <alias> -file <filename> -keypass <password> -storepass <password> -keystore <keystore>

For example:

MIDDLEWARE_HOME/keystores/> keytool -certreq -v -alias server_cert -file server.csr -keypass welcome -storepass welcome -keystore keystore.jks

Make sure you use the same -alias, -storepass and -keypass passwords from Step 3.

The CSR (server.csr) created looks like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtzCCASACAQAwdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA
4GA1UEBxMHUmVhZGluZzEPMA0GA1UEChMGT3JhY2xlMRAwDgYDVQQLEwdTdXBwb3J0
MR8wHQYDVQQDExZtYXJzaGFsbC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBA
QUAA4GNADCBiQKBgQCEopgMZp1lI6jWXxb1rM1kWIc1l8bhiV/0UTcsdKzeaSHxbO
SLO3Ed9kxNWAZgXaR9f5FBlwkaRJ+IR163e64v3SplHenxHfVRaHYWPZx4KlJz/6p
Yd1fAlF0PdQm1DNoFtKmCHVk/cRuvGRpsp38l7K2mYlyQ+GxH38llS7g3owIDAQAB
oAAwDQYJKoZIhvcNAQEFBQADgYEAD/sG1+rSI76OjihHg3WezT+VIbSRJxyly9nbx
4uwXbDHh8DGgQLAXV51C9ioaMrm+dM0eygVDDMESXFxvJiYipS/pphgYt1xDBgnEH
GcNiX3BnTaLNtzYlc5eAMsmbDlpk/qOxvQiH3bKN+UKYQlBXJZWPL6FusXu2LMTrk
zsY=
-----END NEW CERTIFICATE REQUEST-----

7. Send this CSR to a Certificate Authority (CA) of your choice.

8. Once you have received the Certificate back you will need to import this along with the Trusted Root CA certificate(s) that signed it, into your keystore.

Take the server certificate and save it a file called server.cer. Take the Certificate Authority’s root certificate and save to a file called rootCA.cer in your keystore directory e.g $MIDDLEWARE_HOME/keystores. Repeat this step for any more Root CA certificates in the chain e.g rootCA2.cer etc..

9. Import the CA’s root certificate into your keystore using the following command:

keytool -import -v -noprompt -trustcacerts -alias <alias> -file <rootca_file> -keystore <keystore> -storepass <password>

For example:

$ORACLE_MIDDLEWARE/keystores> keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass welcome

Certificate was added to keystore
[Storing keystore.jks]

Repeat this for each Root CA certificate in the chain, and use a different alias each time.

10. Import the Server Certificate into your keystore using the following command:

keytool -import -v -alias <alias> -file <server_cert_file> -keystore <keystore> -keypass <password> -storepass <password>

For example:

$MIDDLEWARE_HOME/keytores> keytool -import -v -alias server_cert -file server.cer -keystore keystore.jks -keypass welcome -storepass welcome

Certificate reply was installed in keystore
[Storing keystore.jks]

Make sure you use the same -alias from Step 3.

11. To view the contents of the keystore, execute the following command:

keytool -list -v -keystore keystore.jks -storepass welcome

For example:

$MIDDLEWARE_HOME/keystores> keytool -list -v -keystore keystore.jks -storepass welcome

Alias name: rootcacert
Creation date: Sep 13, 2012
Entry type: trustedCertEntry

Owner: CN=SSL Training CA, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA
Issuer: CN=SSL Training CA, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA
Serial number: c47f4774c2ef014c
Valid from: Fri Jan 09 10:27:18 GMT 2009 until: Mon May 26 11:27:18 BST 2036
Certificate fingerprints:
MD5: E9:24:39:56:DE:34:44:DB:46:93:45:93:8E:82:66:AC
SHA1: 17:39:92:C0:43:9B:28:F3:C2:54:55:9B:5E:97:CA:EE:71:5D:9C:26
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 57 BA 54 BB 9B C0 38 9A 71 AA 28 82 23 4B 08 gW.T...8.q.(.#K.
0010: 72 B9 FC C1 r...
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false

[CN=SSL Training CA, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA]
SerialNumber: [ c47f4774 c2ef014c]
]

*******************************************
*******************************************

Alias name: server_cert
Creation date: Sep 13, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server.us.techpaste.com, OU=Support, O=TechPaste, L=REDWOOD, ST=CA,
C=USA
Issuer: CN=SSL Training CA, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA
Serial number: e
Valid from: Mon Sep 13 14:02:00 BST 2012 until: Sat Sep 22 14:02:00 BST 2012
Certificate fingerprints:
MD5: CB:B8:07:32:22:B5:76:78:44:BB:94:D2:CE:EF:A3:CA
SHA1: 1E:3E:C6:BC:17:EB:43:50:19:01:0B:11:50:D8:23:60:21:B2:57:3E
Signature algorithm name: MD5withRSA
Version: 1
Certificate[2]:
Owner: CN=SSL Training CA, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA
Issuer: CN=SSL Training CA, OU=Support, O=TechPaste, L=Readin g, ST=CA, C=USA
Serial number: c47f4774c2ef014c
Valid from: Fri Jan 09 10:27:18 GMT 2009 until: Mon May 26 11:27:18 BST 2036
Certificate fingerprints:
MD5: E9:24:39:56:DE:34:44:DB:46:93:45:93:8E:82:66:AC
SHA1: 17:39:92:C0:43:9B:28:F3:C2:54:55:9B:5E:97:CA:EE:71:5D:9C:26
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 57 BA 54 BB 9B C0 38 9A 71 AA 28 82 23 4B 08 gW.T...8.q.(.#K.
0010: 72 B9 FC C1 r...
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 67 57 BA 54 BB 9B C0 38 9A 71 AA 28 82 23 4B 08 gW.T...8.q.(.#K.
0010: 72 B9 FC C1 r...
]

[CN=SSL Training CA, OU=Support, O=TechPaste, L=REDWOOD, ST=CA, C=USA]
SerialNumber: [ c47f4774 c2ef014c]
]

*******************************************
*******************************************

12. Now the keystore is ready for use.

In case of any ┬ęCopyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply