SSL Certificate: Cannot convert identity certificate

Weblogic Web Server SSL Certificate:

Smart Panda - Secure HTTPSA client called today and said they needed to change their wildcard SSL certificate that they were using on one of the external web servers. This seemed like a simple enough request, so:

Step 1:

Get Client to send the new SSL Certificate in pfx format.

Step 2:

Using Portecle “a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more” – Load the PFX SSL Certificate

Step 3:

Convert the new keystore to JKS format.

Step 4:

Reset the password to the SSL Certificate and set the Alias name to the Alias already in use.

Step 5:

Export the PEM encoded certificate to a file and set the file extension to .CRT – This allows the SSL Certificate to be easily opened in Windows.

Step 6:

Export the intermediate and root certificates in base x.509 formats.

Step 7:

Import the intermediate and root trusted certificates (the ones just exported in Step 6) back into the keystore.

Step 8:

Take the SSL Certificate in PEM format and append the SSL Certificate Intermediate PEM format and then the SSL Certificate Root Certificate Authority (CA) in PEM format.  This basically creates a full certificate chain in PEM format.

Step 9:

In Portecle update the CA Reply of the Certificate with the Full Certificate Chain in PEM format.  This step is important so no certificate errors are reported with Firefox Browser.

Results:

The new JKS Keystore has 3 SSL Certificates in the keystore, the Full SSL Certificate private/public key combination, and the SSL Certificate Intermediate and SSL Certificate Root.

Install New SSL Certificate Keystore:

Log into the Weblogic Server and rename the existing SSL Certificate Keystore and upload the new SSL Certificate Keystore using the original SSL Certificate Keystore filename.

Restart the server, and………..

BOOOOOOOM!

ERROR:  <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Cannot convert identity certificate.>

Well, that’s new!  A quick investigation on Google, and some checking turns up that the new certificate was created using SHA256withRSA, while the old one used SHA1withRSA.

As it turns out, Weblogic prior to 10.3.4 cannot use certificates with SHA256withRSA encryption as it uses Certicom SSL implementation.  However, since the web server is version 10.3.6, JSSE SSL needs to be enabled.

Which is under the advanced options of the Weblogic console found under the SSL tab for the Server in question.  Once enabled and the web server restarted, the SSL Certificate & New Keystore worked!

Knowledge Reference:

Smart Panda - IdeaCheck out Wikipedia’s page on SHA-2 Encryption information.

SSL – Show me the private key

I have to admit I struggle to understand why SSL is one of the weirdest and most difficult things I get stuck configuring about 2 or 3 times a year.  Today I was trying to see a private key as I had a REN server that would not boot properly after a new SSL certificate was installed and I wanted to compare the key that was getting loaded by REN with what I had in my certificate.

It turns out that I had done something very similar a few weeks ago, but in reverse, and I posted this blog on it.

This time in order to see the private key, you have to take the jks keystore and convert it to a p12 keystore, and then export the private key. Again nothing ever is easy with SSL, so this requires two tools:  keytool and openssl.  You can get openssl from the great folks at sourceforge – click here.

First the conversion from jks to p12:

keytool -v -importkeystore -srckeystore keystore.jks -srcalias certificatekey -destkeystore myp12file.p12 -deststoretype PKCS12

Secondly, now that you have the p12 keystore you can extract the private key:

openssl pkcs12 -in myp12file.p12 -out private.pem

Wildcard Certificates and PeopleSoft keystores

I love to use the wildcard certificates that you can get from providers like godaddy.  However, there is a serious problem once you create your CSR and generate your certificate and import it into your keystore.  It works great on this system, but I just said it is a wildcard certificate!  So when I go to my next system and I want to use the same certificate what am I to do, if I generate a new CSR it will revoke my other servers certificate.  I need the private key from the original certificate and I haven’t found a nice way to make that in PeopleSoft yet.

I had a client give me their wildcard certificate in a pkcs12 (pfx) format which PeopleSoft does not like at all.  However I find this great command that will take the pfx certificate and convert it into its own JKS keystore.  This works awesome, all I need to do is import the root and intermediate certificates into the keystore which are almost always available from the certificate provider and now I have a keystore that works within PeopleSoft and once I assign the keystore and assign the alias within the weblogic console, I am ready to go!

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS

I found that I can create a keystore and a new private key / CSR using Portecle which is a great tool for working with keystores. Once I create a new CSR and use the CSR to generate a wild card certificate, I import the certificate into the keystore and import the root and intermediate certificates into the keystore and then save the keystore in JKS format, and I am good to go! Put the new keystore into the keystore folder within your PIA site ({domain}\piaconfig\keystore). Next you need to go into your weblogic console and set the PIA domain to accept the new keystore and assign the alias from the keystore for the SSL certificate.