SSL Certificate: Cannot convert identity certificate

Weblogic Web Server SSL Certificate:

Smart Panda - Secure HTTPSA client called today and said they needed to change their wildcard SSL certificate that they were using on one of the external web servers. This seemed like a simple enough request, so:

Step 1:

Get Client to send the new SSL Certificate in pfx format.

Step 2:

Using Portecle “a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more” – Load the PFX SSL Certificate

Step 3:

Convert the new keystore to JKS format.

Step 4:

Reset the password to the SSL Certificate and set the Alias name to the Alias already in use.

Step 5:

Export the PEM encoded certificate to a file and set the file extension to .CRT – This allows the SSL Certificate to be easily opened in Windows.

Step 6:

Export the intermediate and root certificates in base x.509 formats.

Step 7:

Import the intermediate and root trusted certificates (the ones just exported in Step 6) back into the keystore.

Step 8:

Take the SSL Certificate in PEM format and append the SSL Certificate Intermediate PEM format and then the SSL Certificate Root Certificate Authority (CA) in PEM format.  This basically creates a full certificate chain in PEM format.

Step 9:

In Portecle update the CA Reply of the Certificate with the Full Certificate Chain in PEM format.  This step is important so no certificate errors are reported with Firefox Browser.

Results:

The new JKS Keystore has 3 SSL Certificates in the keystore, the Full SSL Certificate private/public key combination, and the SSL Certificate Intermediate and SSL Certificate Root.

Install New SSL Certificate Keystore:

Log into the Weblogic Server and rename the existing SSL Certificate Keystore and upload the new SSL Certificate Keystore using the original SSL Certificate Keystore filename.

Restart the server, and………..

BOOOOOOOM!

ERROR:  <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Cannot convert identity certificate.>

Well, that’s new!  A quick investigation on Google, and some checking turns up that the new certificate was created using SHA256withRSA, while the old one used SHA1withRSA.

As it turns out, Weblogic prior to 10.3.4 cannot use certificates with SHA256withRSA encryption as it uses Certicom SSL implementation.  However, since the web server is version 10.3.6, JSSE SSL needs to be enabled.

Which is under the advanced options of the Weblogic console found under the SSL tab for the Server in question.  Once enabled and the web server restarted, the SSL Certificate & New Keystore worked!

Knowledge Reference:

Smart Panda - IdeaCheck out Wikipedia’s page on SHA-2 Encryption information.