In this first of three posting series, we will outline steps to install SSL certificates on weblogic 11g server so that it can service SSL requests from client webservers such as IIS and Apache.

In this first part, we will show how to create java keystores on Weblogic 11g server. In the second part, we will show how to configure your weblogic server to use the keystores to make it ready for SSL. We will show how to configure IIS 6.0 to communicate with Weblogic 11g through SSL.

Follow these steps on each managed servers in the cluster that will be servicing SSL requests.

1. Create a custom identity key store

First create a Java keystore to hold signed certificate of the server.

keytool -genkey -alias give alias name here -keyalg RSA -keysize 2048 -keystore keystore file path

keytool -genkey -alias wlpdomain -keyalg RSA -keysize 2048 -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks

Provide CN, OU, O, City, Province and Country information along with keystore password.

2. Create a Certificate Signing Request (CSR)

Create a Certificate Signing Request (CSR) using java keytool that comes along with JDK 1.6.x packaged with Weblogic 11g.

keytool -certreq -alias give alias name here -keystore keystore file path -file put file name for the csr


keytool -certreq -alias wlpdomain -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -file managed_server1.csr

Provide the password of the keystore at the prompt. Remember to use the same alias as you used to create the keystore.

3. Get signed certificate

Send the CSR file managed_server1.csr to Certficate Signing Authority such as Verisign, Entrust to get a Signed Certificate. You should also receive a Root/Chain CA along with the signed certificate.

4. Import the Certificate into the keystore

First import the root/chain certificate provided by the Certificate Signing Authority.

keytool -import -alias alias name -keystore keystore file path -trustcacerts -file root cartificate file path


keytool -import -alias root_ca -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -trustcacerts -file entrust_l1c_certificate.cer

Import the Signed certificate with the same alias name which have been used during creation of csr or keystore.

keytool -import -alias alias name here -keystore keystore file path -trustcacerts -file signed certificate from CA


keytool -import -alias wlpdomain -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -trustcacerts -file managed_server1_signed.cer

5. Create a custom trust store and import the Root CA

Now create another keystore for the trust certificates. Import the root CA that you received in step 3 into a custom trust store

keytool -import -file root CA file path -alias alias name -keystore keystore file path


keytool -import -file entrust_l1c_certificate.cer -alias trustCA -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainTrust.jks

Provide a password at the prompt for the key store.

At this point you should see two keystores created on your filesystem. If you are following above example, you should be seeing following files at this location



We will use these files to configure SSL and keystores on the weblogic domain.

Newsletter Signup

Newsletter Signup

Subscribe to our newsletter to stay up to date on the latest tech insights and to learn more about Incepta Solutions!

Thank you for subscribing to our newsletter! (If you do not receive an email, please check your spam/junk folders)

Pin It on Pinterest