(Internal)CA signed certificate on WebLogic & same CA cert(public key) on my machine. Browser still doesn't trust

StackOverflow https://stackoverflow.com/questions/9812285

Question

Created Private Key & Self signed certficate in a Key Store

keytool -genkey -alias mydomain -keystore mydomain.ks -dname cn=mydomain.com -keyalg RSA -sigalg SHA1withRSA

Created Certificate Request and sent to Internal CA

keytool -certreq -alias mydomain -keystore mydomain.ks -file mydomain_project.csr

Once Internal(Company) CA issues the certificate - which looks like something like this

e.g. -----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 -----END CERTIFICATE-----

Copied this to a .pem file

Update the self signed certifcate in (identity) KeyStore with CA signed certificate & Created a new Java Key Store(Trust) CA signed certificate(using the .pem file)

keytool -import -alias mydomain -trustcacerts -file company_cert.pem -keystore mydomain.ks

keytool -import -alias mydomain -trustcacerts -file company_cert.pem -keystore trust.jks

On Weblogic I imported the keystores as follows and Enabled SSL.

Identity - mydomain.ks (with Private Key + CA certificate)

Trust - trust.jks (which has CA certificate)

Issue: Once I hit my internal site deployed on the weblogic. I get a message - Not a trusted certificate. I then download the certifcate from the browser only then https works.but the certificate shows it is signed bythe domain name I gave, instead of my Internal CA name.

Question: I expected it to work(with out actually downloading again) as I already have Internal CA certificates and other internal applications work on https. Did I do any thing wrong?

Was it helpful?

Solution 2

I solved my problem. Thanks user384706.

Basically once you get a signed .pem file(with START & END) from CA.

Before you import this signed certificate to replace the self-signed in your keystore(Identity Keystore to be configured on WebLogic). We need to make sure

1) CA root certificates(Verisign's or your company signed CA certificates) are imported to the same Keystore. You can find CA root certs on your windows box (run-certmgr.msc).

2) Also make sure that all these alias names are the same -

  • self-signed cert
  • cert request
  • while importing CA cert

OTHER TIPS

I am not sure how/where you imported the certificate as you say but the browser has a different truststore than java.
So you have to add it as an exception to its truststore the first time you access the site.

As far as the domain name that is displayed the browser pops up the certificate as send by the server

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top