In this article, we will learn about the SSL Certificate Renewal activity in Oracle Weblogic Server and Oracle HTTP Server (OHS). SSL Renewal is Key Activity from Infrastructure perspective, as only if a single SSL Certificate is expired or Not Renewed on time then it will lead to major Issues with respect to the application and Users who will try to access the application will get the SSL Error.
So, Let’s Begin.
Weblogic SSL Certificate Renewal
In Oracle Weblogic Server, mainly there are 2 important Keystores i.e. TRUST & IDENTITY Keystores. You can easily find the Keystore Name and their respective paths in the $DOMAIN_HOME/config/config.xml file.
Step 1: – Identify the Expiring Certificate: You can Run below command to see the expiry dates of all the SSL Certificates present in the Keystore file.
$JAVA_HOME/bin/keytool -v -list -keystore <keystore_path> -storepass <keystore_password>
Above mentioned command will give you all alias and SSL Expiry Date of all the Certificates present in the mentioned keystore.
Note: alias is the keyword in the keystore using which we can identify all the SSL Certificates in the Keystore file. Each SSL Certificate has different alias name.
Step 2: – Import the Renewed Certificate: Once you receive the Renewed SSL Certificate from the Certificate Authority (CA), then run below commands in order to renew/import the certificate:
Delete the Existing Expired Certificate from the Keystore:
$JAVA_HOME/bin/keytool -delete -alias <alias_name> -keystore <keystore_path> -storepass <keystore_password>
Import the Renewed SSL Certificate into the Keystore:
$JAVA_HOME/bin/keytool -importcert -trustcacerts -alias <alias_name> -file <Renewed_Certificate.cer> -keystore <keystore_path> -storepass <keystore_password>
Check the New Expiry of the Renewed SSL Certificate:
$JAVA_HOME/bin/keytool -v -list -alias <alias_name> -keystore <keystore_path> -storepass <keystore_password>
If you have more than on Keystore, then you can follow above steps only in order to renew the SSL Certificate.
OHS SSL Certificate Renewal
You can follow below steps in order to renew the SSL in the OHS wallet file:
Step 1: – Move Existing Default Wallet: Run below command to move the existing wallet present in the OHS
cd $OHS_HOME/<OHS_Component>/config/fmwconfig/components/OHS/<OHS_Component>/keystores
mv default default_<current_date>
Step 2: – Create identity.jks file: You need to create one identity.jks from the Identity Keystore and specify the alias name of the Certificate which you want to renew in the OHS wallet.
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <identity_keystore_path> -srcstoretype pkcs12 -srcalias <alias_name_of_certificate> -destkeystore <identity_keystore_path> -deststoretype jks -deststorepass <pass_of_jks_file> -destalias <alias_name_of_certificate>
Step 3: – Create OHS Wallet: Run the below command to create the default OHS wallet.
$OHS_HOME/oracle_common/bin/orapki wallet create -pwd <password_wallet> -auto_login -wallet $OHS_HOME/<OHS_Component>/config/fmwconfig/components/OHS/<OHS_Component>/keystores
Step 4: – Import the Cert to the wallet: You can Run below command in order to import the Renewed SSL Certificate to the default OHS wallet that we have just created in the previous step.
$OHS_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet $OHS_HOME/<OHS_Component>/config/fmwconfig/components/OHS/<OHS_Component>/keystores/default -pwd <password_wallet> -keystore <identity.jks_file> -jkspasswd <pass_of_jks_file>
Step 5: – Verify the Certificate: In order to the verify whether we have imported correct certificate or Not, we can run below command to identify the certificate:
$OHS_HOME/oracle_common/bin/orapki wallet display -wallet $OHS_HOME/<OHS_Component>/config/fmwconfig/components/OHS/<OHS_Component>/keystores/default -pwd <password_wallet>
That’s it. Now, you can start both the Weblogic & OHS and verify all the required services.
Hope it helps!