It's all about Weblogic..!!

June 8, 2010

Steps to create a csr using keytool and sign with verisign

Filed under: * Security — streethawkz @ 8:16 pm

Generating Certificates :

To setup certificate configurations, ensure that you have a set of the following certificates:

  • PRIVATE key
  • PUBLIC key

Step 1 – Create demo private keys

There are three ways to create a private key: You can use:

  • keytool
  • Certificate Servlet
  • openssl
keytool (from your jdk)

To generate the private key:

Usage; keytool -genkey      [-v] [-alias <alias>] [-keyalg <keyalg>]
[-keysize <taille_cle>] [-sigalg <sigalg>]
[-dname <nomd>] [-validity <joursval>]
[-keypass <mot_passe_cle>] [-keystore <keystore>]
[-storepass <mot_passe_store>] [-storetype <type_store>]
[-provider <classe_fournisseur>] ...

keytool -genkey -keyalg RSA -alias mykey -keystore identity.jks
Enter keystore password:  password
What is your first and last name?
[Unknown]:  puneeth
What is the name of your organizational unit?
[Unknown]:  wls
What is the name of your organization?
[Unknown]:  BEA
What is the name of your City or Locality?
[Unknown]:  Bangalore
What is the name of your State or Province?
[Unknown]:  Karnataka
What is the two-letter country code for this unit?
[Unknown]:  IN
Is CN=puneeth, OU=wls, O=BEA, L=Bangalore, ST=Karnataka, C=IN correct?
[no]:  yes

Enter key password for <mykey>
(RETURN if same as keystore password):

As a result you obtain a file: identity.jks, containing a private key, and a self-signed public key.

Step 2 – Sign the public key by a trusted CA

The next step is to have the public key signed by a known CA. This is done by retrieving the CSR (Cert Signature Request) and sending it to one of the Certificate Authorities.

keytool -certreq -keystore identity.jks
Enter keystore password :  password


You will need to copy and paste all this (including -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) to the Certification Authority.

The following example uses the Verisign CA:

  • Go to the Verisign site
  • Click on SSL Trial ID
  • Fill in all your details and copy and paste your generated CSR
  • Verisign will then send you an email with the PEM content of the public key. Save it under public.pem
  • A link to the Verisign CA root certificate is given — save it under a new file such as rootCA.pem

Store the CA root in your keystore. If you have an intermediate CA you will have to put it in there after the CA root etc.:

keytool -import -alias verisignCA -file rootCA.pem -keystore identity.jks -trustcacerts

keytool -import -alias verisignIntermediateCA -file IntermediateCA.pem -keystore identity.jks -trustcacerts

Import the public key into your keystore. It will go on the same alias as the private key:

keytool -import -alias mykey -file public.pem -keystore identity.jks -trustcacerts


Now the identity Keystore is configured.


Lets create a trust.jks now :


Note : Trust Keystore contains only the root certificates. Cacerts is a JAVA standard trust and its default password is changeit.


Below is the command to import root certificate of your signing authority into trust.jks.


keytool -import -alias verisignCA -file rootCA.pem -keystore trust -trustcacerts


Configure WLS to use your keystore (one way SSL only)

From the Admin console, go to your server page, and in the Keystore&SSL tab choose:

Custom Identity and Custom Trust
Custom Identity
Custom Identity Key Store File Name:  identity
Custom Identity Key Store Type: jks
Custom Identity Key Store Pass Phrase: password
Confirm Custom Identity Key Store Pass Phrase: password

Custom Trust
Custom Trust Key Store File Name: trust
Custom Trust Key Store Type: jks
Custom Trust Key Store Pass Phrase: password
Confirm Custom Trust Key Store Pass Phrase: password

Private Key Alias: mykey
Passphrase: password  ( Note : this is the private key password )
Confirm Passphrase: password

Ensure that SSL Listen Port Enabled is selected, then restart your server.

<19 jun. 2010 10 h 39 CET> <Debug> <TLS> <000000> <SSLManager.getServerCertificate()>
<19 jun. 2010 10 h 39 CET> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias mykey from the jks keystore file C:\bea\user_projects\domains\test_domain.>
<19 jun. 2010 10 h 39 CET> <Notice> <WebLogicServer> <BEA-000298> <Certificate expires in 14 days: [
Version: V3
Subject: CN=CertServer, OU=BEASystems, O=BEA, L=Bangalore, ST=Karnataka, C=IN
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Validity: [From: Fri Jun 19 01:00:00 CET 2010,
To: Sat Jan 03 00:59:59 CET 2004]
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"

SerialNumber: [    0ed7bf9a 778fd148 175bac0b e1d3627d]

Certificate Extensions: 5
[1]: ObjectId: Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 3B 30 39 30 37 A0 35   A0 33 86 31 68 74 74 70  .;0907.5.3.1http
0010: 3A 2F 2F 63 72 6C 2E 76   65 72 69 73 69 67 6E 2E  ://
0020: 63 6F 6D 2F 53 65 63 75   72 65 53 65 72 76 65 72  com/SecureServer
0030: 54 65 73 74 69 6E 67 43   41 2E 63 72 6C           TestingCA.crl

[2]: ObjectId: Criticality=false
ExtendedKeyUsages [

[3]: ObjectId: Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.21]
[PolicyQualifierInfo: [
0000: 16 2A 68 74 74 70 3A 2F   2F 77 77 77 2E 76 65 72  .*http://www.ver
0010: 69 73 69 67 6E 2E 63 6F   6D 2F 72 65 70 6F 73 69
0020: 74 6F 72 79 2F 54 65 73   74 43 50 53              tory/TestCPS

]]  ]

[4]: ObjectId: Criticality=false
KeyUsage [

[5]: ObjectId: Criticality=false
PathLen: undefined

Algorithm: [SHA1withRSA]
0000: 08 3A F5 EC EE 10 AD 9C   3C D7 94 5A 84 9C 34 F2  .:......<..Z..4.
0010: 61 70 30 45 AF 99 03 79   AF 47 D9 A0 62 20 A6 D3  ap0E...y.G..b ..
0020: C1 21 98 59 A3 3D 6D 8F   E9 58 71 CE 87 FE AB 8A  .!.Y.=m..Xq.....
0030: 99 D8 F5 71 DE 44 55 2E   BB EB 86 15 C0 31 BF 25  ...q.DU......1.%

<19 jun. 2010 10 h 39 CET> <Info> <WebLogicServer> <BEA-000307> <Exportable key maximum lifespan set to 500 uses.>
<19 jun. 2010 10 h 39 CET> <Info> <WebLogicServer> <BEA-000308> <Using full strength (domestic) SSL.>
<19 jun. 2010 10 h 39 CET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\bea\user_projects\domains\test_domain.>
<19 jun. 2010 10 h 39 CET> <Debug> <TLS> <000000> <Trusted CA: [
Version: V1
Subject: OU=For VeriSign authorized testing only. No assurances (C)VS1997, Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Validity: [From: Sun Jun 07 02:00:00 CEST 1998,
To: Wed Jun 07 01:59:59 CEST 2006]
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"

SerialNumber: [    52a9f424 da674c9d af4f5378 52abef6e]

Algorithm: [MD5withRSA]
0000: A5 A7 47 F2 8F 37 10 A0   96 94 CF E6 7C DB A3 E4  ..G..7..........
0010: 02 22 49 AC 08 F8 D3 08   C9 EF 9B B2 9C C0 32 60  ."I...........2`
0020: B9 A1 30 92 88 B5 80 14   98 F5 B8 89 A7 DA 0A F9  ..0.............
0030: CB F5 62 7D CA B9 53 3E   62 9B 5C 59 72 DF C7 12  ..b...S>b.\Yr...

<19 jun. 2010 10 h 39 CET> <Debug> <TLS> <000000> <SSLManager: loaded 1 trusted CAs from C:\bea\user_projects\domains\test_domain>
<19 jun. 2010 10 h 39 CET> <Info> <WebLogicServer> <BEA-000307> <Exportable key maximum lifespan set to 500 uses.>
<19 jun. 2010 10 h 39 CET> <Info> <WebLogicServer> <BEA-000300> <Certificate contents: 2 certificate(s):
fingerprint = 68dd50d604d078d8da79c2b93a6d9886, not before = Fri Jun 19 01:00:00 CET 2010, not after = Sat Jan 03 00:59:59 CET 2004, holder = C=IN SP=Karnataka L=Bangalore O=BEA OU=BEASystems CN=CertServer , issuer = O=VeriSign, Inc OU=For Veri Sign authorized testing only. No assurances (C)VS1997 , key =  modulus length=12 9 exponent length=3
fingerprint = 40065311fdb33e880a6f7dd14e229187, not before = Sun Jun 07 02:00:
00 CEST 1998, not after = Wed Jun 07 01:59:59 CEST 2006, holder = O=VeriSign, Inc OU=For VeriSign authorized testing only. No assurances (C)VS1997 , issuer = O=VeriSign, Inc OU=For VeriSign authorized testing only. No assurances (C)VS1997 , key =  modulus length=65 exponent length=3>

<19 jun. 2010 10 h 39 CET> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>

You are done.

WebLogic is now configured successfully to do one-way SSL (no client authentication).


Below are the detailed steps to create a certificate request and get it signed from a 3rd party signing authority ( Eg : verisign )


Things we need to know before we start creating certificates :

–          keytool is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. keytool stores the keys and certificates in a so-called keystore.

–        Key store contains two types of entries :

  1. key entries : Typically, a key stored in this type of entry is a secret key or private key accompanied by the certificate “chain” for the corresponding public key.
  2. trusted certificate entries : each contains a single public key certificate belonging to another party. It is called a “trusted certificate” because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the “subject” (owner) of the certificate. The issuer of the certificate vouches for this, by signing the certificate.

–          Keystore Aliases: All keystore entries (key and trusted certificate entries) are accessed via unique aliases. Aliases are case-insensitive; the aliases Hugo and hugo would refer to the same keystore entry. An alias is specified when you add an entity to the keystore using the -genkey command to generate a key pair (public and private key) or the -import command to add a certificate or certificate chain to the list of trusted certificates. Subsequent keytool commands must use this same alias to refer to the entity.

–        Option Defaults :

Below are the defaults for various option values.

  • alias “mykey”
  • keyalg “DSA”
  • keysize 1024
  • validity 90
  • keystore the file named .keystore in the user’s home directory
  • file stdin if reading, stdout if writing
  • The signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key: If the underlying private key is of type “DSA”, the -sigalg option defaults to “SHA1withDSA”, and if the underlying private key is of type “RSA”, -sigalg defaults to “MD5withRSA”.

STEP 1 Adding Data to the Keystore :

keytool -genkey -alias cooldragon -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password

Note :

  1. The above command generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by the alias “cooldragon”.
  2. keypass is a password used to protect the private key of the generated key pair. If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore. The keypass “ privatepassword “ is the password of the private key which is referenced by the alias “ cooldragon “ ( You can change this password using the command “keytool -keypasswd -alias cooldragon  -keypass privatepassword -new newprivatepassword” ).
  3. If you don’t specify a -keystore option in the above command, the default keystore is a file named .keystore in your home directory. If that file does not yet exist, it will be created.
  4. The default keystore type is “jks”
  5. The default key pair generation algorithm is “DSA. Keyalg command can be used to specify a different algoritm. The default key size for any algorithm is 1024 bits.
  6. storepass is the password which is used to protect the integrity of the keystore. It must be at least 6 characters long and must be provided to all commands that access the keystore contents.
  7. dname specifies the X.500 Distinguished Name to be associated with alias, and is used as the issuer and subject fields in the self-signed certificate ( Since this parameter is not specified in the above command it will prompt the user to input the details )

Types the commands manually on to the command prompt – do not copy paste it..!! It always gives errors J

STEP 2Exporting Data:

keytool -certreq -alias cooldragon -sigalg MD5withRSA -file certreq.pem -keystore identity.jks


  1. The above command Generates a Certificate Signing Request (CSR), using the PKCS#10 format.
  2. A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
  3. sigalg specifies the algorithm that should be used to sign the self-signed certificate; this algorithm must be compatible with keyalg.
  4. The CSR is stored in the file certreq.pem. If no file is given, the CSR is output to stdout.
  5. Researchers have successfully broken the MD5 algorithm and forged web server credentials. MD5 is no longer considered secure. US-CERT advisory 836068 (issued Dec 31, 2008) makes it plain: ‘Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use. So its better to use sigalg as SHA1withRSA

STEP 3Requesting a Signed Certificate from a Certification Authority:

Submit certreq.pem file that we generated to a CA, such as VeriSign, Inc. The CA will authenticate you, the requestor (usually off-line), and then will return a certificate, signed by them, authenticating your public key. (In some cases, they will actually return a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.)

You will get a mail in response.



STEP 4Importing a Certificate for the CA :

Steps are provided to download the rootCA, Click on the link to download rootCA and save the file with ‘.cer’ extension

Next step is to install signed certificate. You can find at the end of the e-mail content.


Paste it in notepad and save it as signedcert.pem (remove white space if present)

Now run the command below:

keytool -import -alias rootca -trustcacerts -file rootCA.cer -keystore trust.jks

It will prompt to trust this certificate. Say “Yes”

So now the root certificate is stored in the trust.jks. We now have to import the certificate signed by the CA (signedcert.pem)  to our keystore “ identity.jks “using the command below :

keytool -import -trustcacerts -alias rootca -file rootCA.cer -keystore identity.jks -storepass password

( not always required ) keytool -import -trustcacerts -alias inter -file intercert.cer -keystore identity.jks -storepass password

keytool -import -trustcacerts -alias cooldragon1 -file signedcert.pem -keystore identity.jks -storepass password

It will prompt to trust this certificate. Say “Yes”

Note :

List the keystore using the command below and check for its chaining:

Keytool –v –list –keystore identity.jks

The chaining can be of 2 types :

root……………………….ow = xxx

…………………………… xxx

inter ……………………… ow= xxx

………………………………is= yyy

signedcert……………….. ow= yyy

……………………………… is= ppp


signedcert ……………… ow= ppp

…………………………….. is= yyy

inter……………………… ow= yyy

…………………………….. is= xxx

root………………………. ow= xxx

…………………………….. is= xxx

Note : If you get an error message that states “failed to establish chain from reply” then you need to add intermediate CA Certificate to your custom trust keystore.

So the files that we created till now are: (make sure these are in your domain directory- not a must though)

  • certreq.pem.
  • rootCA.cer
  • identity.jks
  • signedcert.pem
  • trust.jks

Settings that need to be done on the browser ( I have used Chrome here ) :

  • Open a Google Chrome Browser.
  • Go to “Customize and control Google Chrome” > Options > Under the Hood > Manage certificates
  • Click Import. A certificate manager Import Wizard will appear. Click Next.
  • Browse to the location of the recently stored root (done in step 2). Select ALL files for file type.
  • Select the certificate and click Open.
  • Click Next.
  • Select “Automatically select the certificate store based on the type of the certificate”. Click Ok.
  • Click Next then Finish.
  • When prompted and asked if you wish to add the following certificate to the root store, click Yes.

Now start weblogic server and configure SSL

<Additional Information>

– You need to replace your self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a “root” CA.

– Before you import the certificate reply from a CA, you need one or more “trusted certificates” in your keystore or in the cacerts keystore file

– The “cacerts” keystore file ships with five VeriSign root CA certificates, so you probably won’t need to import a VeriSign certificate as a trusted certificate in your keystore. But if you request a signed certificate from a different CA, and a certificate authenticating that CA’s public key hasn’t been added to “cacerts”, you will need to import a certificate from the CA as a “trusted certificate”.

– Be very careful to ensure the certificate is valid prior to importing it as a “trusted” certificate! View it first (using the keytool -printcert command, or the keytool -import command without the -noprompt option), and make sure that the displayed certificate fingerprint(s) match the expected ones.

Verisign signing steps :

Link :



  1. One common error we do is :

    When we run the command : keytool -genkey -alias cooldragon -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password

    It would ask us to enter the First and Last name , O , Country etc

    If there is a space given between First and Last name. The csr generated by the keytool will be rejected by verisign.

    Not sure why.!!


    Comment by streethawkz — June 8, 2010 @ 8:30 pm

  2. While using the command below : keytool -import -trustcacerts -alias cooldragon1 -file signedcert.pem -keystore identity.jks -storepass password

    to import a signed certificate ( from verisign ) into our identity.jks.

    If the alias name is the same name as given while creating a csr then we get the following error :

    ” failed to establish chain from reply ”

    …!!!! Reason being that the same alias name is used..!!! Confusing..!!!

    Just try a different alias name and it works..!! 🙂

    Comment by streethawkz — June 8, 2010 @ 8:34 pm

  3. Common Name: The Common Name is the Host + Domain Name. It looks like “” or “”.

    VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment.

    For example, a certificate for the domain “” will receive a warning if accessing a site named “” or “”, because “” and “” are different from “”.

    Comment by streethawkz — June 25, 2010 @ 11:39 am

  4. […] Link : […]

    Pingback by Steps to configure ” Custom Identity and Custom Trust ” on WLS « It's all about Weblogic..!! — January 15, 2011 @ 2:03 am

  5. […] Link : […]

    Pingback by Steps to configure ” Custom Identity and Custom Trust ” on WLS « It's all about Weblogic..!! — January 15, 2011 @ 2:03 am

  6. I just want to say I’m beginner to blogging and site-building and truly enjoyed this blog. More than likely I’m want to bookmark your website . You definitely come with fantastic articles. Kudos for sharing with us your web page.

    Comment by Arlinda Loewenstein — March 1, 2011 @ 7:47 pm

  7. Thanks.. 🙂

    Stay tuned for more….

    — Puneeth

    Comment by streethawkz — May 24, 2011 @ 7:42 am

  8. Thanks so much for the guide!
    found a little bit of a TYPO:

    keytool -import -alias verisignCA -file rootCA.pem -keystore trust -trustcacerts

    should be (i think)

    keytool -import -alias verisignCA -file rootCA.pem -keystore trust.jks -trustcacerts

    Comment by trust.jks — November 12, 2011 @ 2:27 am

  9. I love reading through a post that will make people think.
    Also, thank you for allowing me to comment!

    Comment by Site here — June 4, 2013 @ 9:50 am

  10. Thanks on your marvelous posting! I really enjoyed reading it,
    you will be a great author. I will be sure to bookmark your blog and will eventually come back in the
    future. I want to encourage you to continue your great writing, have a
    nice evening!

    Comment by diet regime — July 1, 2013 @ 11:56 am

  11. I was suggested this website through my cousin. I’m not positive whether or not this publish is written by way of him as no one else recognise such exact approximately my problem. You are amazing! Thanks!

    Comment by www.walkerhomedesign.Com — July 25, 2013 @ 9:40 pm

  12. Thanks for sharing your thoughts on wireless internet nanny cam.


    Comment by — August 4, 2013 @ 7:44 am

  13. In this link I also found a way to do it, but I think it’s the same method

    Comment by Angelo — December 19, 2013 @ 5:56 pm

  14. Pensiuni Slanic Prahova

    Hmm is anyone else encountering problems with the images on this blog loading?
    I’m trying to figure out if its a problem on my end or
    if it’s the blog. Any suggestions would be greatly appreciated.

    Comment by Hotel Bucuresti Sector 5 — June 19, 2014 @ 8:53 am

  15. Hi. Can i Share Steps to create a csr using keytool and sign with verisign to my Facebook

    Comment by Chestionare Auto — November 1, 2014 @ 3:34 pm

  16. Yes! Finally someone writes about a.

    Comment by aaa — January 12, 2015 @ 8:06 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: