ssl certificate on OCI load balancer

Hi, In this topic we go through  implement SSL for Load Balancer on OCI for EBS R12.2.9

to achieve  this we need to ssl certificate from CA and private key

List of Topics (Linux, Database, RAC, EBS)

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

Major Steps:

- Create Keystores

- Generate csr

- Purchase certificate from CA

- import (Root,Server,intermediate) certifcate to keystores

- generate private key

- upload on load balancer

================================================================================================================

Steps for SSL Configure for Private Load balancer less detailed: 

1. Create keystore.jks with information:

[applmgr@ebsprodapp3 ~]$ $ADJVAPRG -version

java version "1.7.0_321"

Java(TM) SE Runtime Environment (build 1.7.0_321-b08)

Java HotSpot(TM) Server VM (build 24.321-b08, mixed mode)

[applmgr@ebsprodapp3 ~]$ 

[applmgr@ebsprodapp3 ~]$ export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

[applmgr@ebsprodapp3 ~]$ . $FMW_HOME/user_projects/domains/EBS_domain/bin/setDomainEnv.sh

[applmgr@ebsprodapp3 EBS_domain]$ java weblogic.version

WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050

[applmgr@ebsprodapp3 ~]$

[applmgr@ebsprodapp3 ~]$ cd $FMW_HOME/user_projects/domains/EBS_domain/bin

[applmgr@ebsprodapp3 bin]$ ./setDomainEnv.sh

[applmgr@ebsprodapp3 bin]$ mkdir -p $FMW_HOME/keystores

[applmgr@ebsprodapp3 bin]$ cd $FMW_HOME

[applmgr@ebsprodapp3 FMW_Home]$ chmod -R 777 keystores

[applmgr@ebsprodapp3 FMW_Home]$ cd keystores/

[applmgr@ebsprodapp3 keystores]$ keytool -genkey -alias prod_prv_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=ebsprodapp.areefdba.com.sa,O=Areef DBA Company,OU=Information Technology,L=Riyadh,ST=Riyadh,C=Saudi Arabia" -keypass welcome1 -keystore keystore.jks -storepass welcome1

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 8

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp1

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 16

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

[applmgr@ebsprodapp3 keystores]$

2. Create CRS file from Keystore information:

[applmgr@ebsprodapp3 keystores]$ keytool -certreq -v -alias prod_prv_cert -file ebsprodapp.csr -sigalg SHA256withRSA -keypass welcome1 -storepass welcome1 -keystore keystore.jks

Certification request stored in file <ebsprodapp.csr>

Submit this to your CA

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 24

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

[applmgr@ebsprodapp3 keystores]$

3. Submit the generated .csr file to any CA(godaddy) and get certificates:

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 32

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

[applmgr@ebsprodapp3 keystores]$ unzip ebsprodapp.areefdba.com.sa_(New\).zip

Archive:  ebsprodapp.areefdba.com.sa_(New).zip

  inflating: gd_bundle-g2-g1.crt

  inflating: 8e498f4d9946440b.crt

  inflating: 8e498f4d9946440b.pem

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 56

-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip

[applmgr@ebsprodapp3 keystores]$

4. import the root certificate downloaded from GoDaddy:

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file gd_bundle-g2-g1.crt -keystore keystore.jks -storepass welcome1

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file gd_bundle-g2-g1.crt -keystore keystore.jks -storepass welcome1

Certificate was added to keystore

[Storing keystore.jks]

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp2

verify information in keystore.jks you should see rootcacert

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

5. now import Actual certificate of hostname import gives error as GoDaddy root intermediate certificate is missing:

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1

keytool error: java.lang.Exception: Failed to establish chain from reply

java.lang.Exception: Failed to establish chain from reply

        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3662)

        at sun.security.tools.KeyTool.installReply(KeyTool.java:2847)

        at sun.security.tools.KeyTool.doCommands(KeyTool.java:1089)

        at sun.security.tools.KeyTool.run(KeyTool.java:374)

        at sun.security.tools.KeyTool.main(KeyTool.java:367

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

Download gdroot-g2.crt from godaddy repository:

https://certs.godaddy.com/repository

[applmgr@ebsprodapp3 keystores]$ cp /u02/ftp//gdroot-g2.crt .

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr gdroot-g2.crt

total 72

-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ keytool -importcert -alias intermediate -file gdroot-g2.crt -keystore keystore.jks

Enter keystore password: welcome1

Trust this certificate? [no]:  yes

Certificate was added to keystore

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

6. Now import actual certificate: 

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1

Certificate reply was installed in keystore

[Storing keystore.jks]

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp3

verify information in keystore.jks you should see actual certificate entries

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

7. Create Private Key and pfx for the certificates and upload in OCI Load Balancer:

[applmgr@ebsprodapp3 keystores]$ keytool -importkeystore -srckeystore keystore.jks -srcstorepass welcome1 -srckeypass welcome1 -srcalias prod_prv_cert -destalias prod_prv_cert -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass welcome1 -destkeypass welcome1

Importing keystore keystore.jks to keystore.p12...

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 88

-rw-r--r--. 1 applmgr oinstall 6391 Nov 23 11:16 keystore.p12

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out private_key1.pem

Enter Import Password: welcome1

MAC verified OK

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -inkey private_key1.pem -in 8e498f4d9946440b.crt -export -out aljom_pfx.pfx

Enter Export Password: welcome1

Verifying - Enter Export Password: welcome1

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 104

-rw-r--r--. 1 applmgr oinstall 1854 Nov 23 11:19 private_key1.pem

-rw-r--r--. 1 applmgr oinstall 3341 Nov 23 11:19 aljom_pfx.pfx

[applmgr@ebsprodapp3 keystores]$

================================================================================================================

Steps for SSL Configure for Private Load balancer with full detailed outputs:

1. Create keystore.jks with information:   

[applmgr@ebsprodapp3 ~]$ $ADJVAPRG -version

java version "1.7.0_321"

Java(TM) SE Runtime Environment (build 1.7.0_321-b08)

Java HotSpot(TM) Server VM (build 24.321-b08, mixed mode)

[applmgr@ebsprodapp3 ~]$ 

[applmgr@ebsprodapp3 ~]$ 

[applmgr@ebsprodapp3 ~]$ export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

[applmgr@ebsprodapp3 ~]$ cd $FMW_HOME/user_projects/domains/EBS_domain/bin

[applmgr@ebsprodapp3 bin]$ ./setDomainEnv.sh

[applmgr@ebsprodapp3 bin]$ mkdir -p $FMW_HOME/keystores

[applmgr@ebsprodapp3 bin]$ cd $FMW_HOME

[applmgr@ebsprodapp3 FMW_Home]$ chmod -R 777 keystores

[applmgr@ebsprodapp3 FMW_Home]$ cd keystores/

[applmgr@ebsprodapp3 keystores]$ keytool -genkey -alias prod_prv_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=ebsprodapp.areefdba.com.sa,O=Areef DBA Company,OU=Information Technology,L=Riyadh,ST=Riyadh,C=Saudi Arabia" -keypass welcome1 -keystore keystore.jks -storepass welcome1

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 8

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: prod_prv_cert

Creation date: Nov 23, 2021

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia

Issuer: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia

Serial number: 700c4f2f

Valid from: Tue Nov 23 09:21:13 AST 2021 until: Mon Feb 21 09:21:13 AST 2022

Certificate fingerprints:

         SHA1: DE:D9:4A:1B:C8:47:AD:DC:9C:DF:97:CA:21:A0:B1:F8:05:4F:0D:02

         SHA256: 3C:8E:D1:DE:13:E5:F8:B2:F2:71:54:0E:3B:D7:B4:55:79:29:48:02:0A:7A:3E:00:B9:9E:14:D3:54:74:47:A0

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.

0010: 6A 74 1A 65                                        jt.e

]

]

*******************************************

*******************************************

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp1

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 16

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

[applmgr@ebsprodapp3 keystores]$

2. Create CRS file from Keystore information:

[applmgr@ebsprodapp3 keystores]$ keytool -certreq -v -alias prod_prv_cert -file ebsprodapp.csr -sigalg SHA256withRSA -keypass welcome1 -storepass welcome1 -keystore keystore.jks

Certification request stored in file <ebsprodapp.csr>

Submit this to your CA

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 24

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

[applmgr@ebsprodapp3 keystores]$

3. Submit the generated .csr file to any CA(godaddy) and get certificates:

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 32

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip

[applmgr@ebsprodapp3 keystores]$ unzip ebsprodapp.areefdba.com.sa_\(New\).zip

Archive:  ebsprodapp.areefdba.com.sa_(New).zip

  inflating: gd_bundle-g2-g1.crt

  inflating: 8e498f4d9946440b.crt

  inflating: 8e498f4d9946440b.pem

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 56

-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip

[applmgr@ebsprodapp3 keystores]$

4. import the root certificate downloaded from GoDaddy:

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file gd_bundle-g2-g1.crt -keystore keystore.jks -storepass welcome1

Certificate was added to keystore

[Storing keystore.jks]

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$ 

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp2

verify information in keystore.jks you should see rootcacert

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 2 entries

Alias name: rootcacert

Creation date: Nov 23, 2021

Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 7

Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031

Certificate fingerprints:

         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8

         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

  [

   accessMethod: ocsp

   accessLocation: URIName: http://ocsp.godaddy.com/

]

]

#2: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

#3: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

  [DistributionPoint:

     [URIName: http://crl.godaddy.com/gdroot-g2.crl]

]]

#5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

  [CertificatePolicyId: [2.5.29.32.0]

[PolicyQualifierInfo: [

  qualifierID: 1.3.6.1.5.5.7.2.1

  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.

0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo

0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]

]

#6: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#7: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..

0010: B4 2C 80 CE                                        .,..

]

]

*******************************************

*******************************************

Alias name: prod_prv_cert

Creation date: Nov 23, 2021

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia

Issuer: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia

Serial number: 700c4f2f

Valid from: Tue Nov 23 09:21:13 AST 2021 until: Mon Feb 21 09:21:13 AST 2022

Certificate fingerprints:

         SHA1: DE:D9:4A:1B:C8:47:AD:DC:9C:DF:97:CA:21:A0:B1:F8:05:4F:0D:02

         SHA256: 3C:8E:D1:DE:13:E5:F8:B2:F2:71:54:0E:3B:D7:B4:55:79:29:48:02:0A:7A:3E:00:B9:9E:14:D3:54:74:47:A0

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.

0010: 6A 74 1A 65                                        jt.e

]

]

*******************************************

*******************************************

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

5. now import Actual certificate of hostname import gives error as GoDaddy root intermediate certificate is missing

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1

keytool error: java.lang.Exception: Failed to establish chain from reply

java.lang.Exception: Failed to establish chain from reply

        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3662)

        at sun.security.tools.KeyTool.installReply(KeyTool.java:2847)

        at sun.security.tools.KeyTool.doCommands(KeyTool.java:1089)

        at sun.security.tools.KeyTool.run(KeyTool.java:374)

        at sun.security.tools.KeyTool.main(KeyTool.java:367

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

Download gdroot-g2.crt from godaddy repository:

https://certs.godaddy.com/repository

[applmgr@ebsprodapp3 keystores]$ cp /u02/ftp/gdroot-g2.crt .

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 72

-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip

-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:08 keystore.jks

-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:25 keystore.jks_bkp2

-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ keytool -importcert -alias intermediate -file gdroot-g2.crt -keystore keystore.jks

Enter keystore password: welcome1

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 0

Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038

Certificate fingerprints:

         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B

         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

Trust this certificate? [no]:  yes

Certificate was added to keystore

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 3 entries

Alias name: rootcacert

Creation date: Nov 23, 2021

Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 7

Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031

Certificate fingerprints:

         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8

         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

  [

   accessMethod: ocsp

   accessLocation: URIName: http://ocsp.godaddy.com/

]

]

#2: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

#3: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

  [DistributionPoint:

     [URIName: http://crl.godaddy.com/gdroot-g2.crl]

]]

#5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

  [CertificatePolicyId: [2.5.29.32.0]

[PolicyQualifierInfo: [

  qualifierID: 1.3.6.1.5.5.7.2.1

  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.

0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo

0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]

]

#6: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#7: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..

0010: B4 2C 80 CE                                        .,..

]

]

*******************************************

*******************************************

Alias name: prod_prv_cert

Creation date: Nov 23, 2021

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia

Issuer: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia

Serial number: 700c4f2f

Valid from: Tue Nov 23 09:21:13 AST 2021 until: Mon Feb 21 09:21:13 AST 2022

Certificate fingerprints:

         SHA1: DE:D9:4A:1B:C8:47:AD:DC:9C:DF:97:CA:21:A0:B1:F8:05:4F:0D:02

         SHA256: 3C:8E:D1:DE:13:E5:F8:B2:F2:71:54:0E:3B:D7:B4:55:79:29:48:02:0A:7A:3E:00:B9:9E:14:D3:54:74:47:A0

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.

0010: 6A 74 1A 65                                        jt.e

]

]

*******************************************

*******************************************

Alias name: intermediate

Creation date: Nov 23, 2021

Entry type: trustedCertEntry

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 0

Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038

Certificate fingerprints:

         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B

         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

*******************************************

*******************************************

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

6. Now import actual certificate: 

[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1

Certificate reply was installed in keystore

[Storing keystore.jks]

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp3

verify information in keystore.jks you should see actual certificate entries

[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 3 entries

Alias name: rootcacert

Creation date: Nov 23, 2021

Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 7

Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031

Certificate fingerprints:

         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8

         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

  [

   accessMethod: ocsp

   accessLocation: URIName: http://ocsp.godaddy.com/

]

]

#2: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

#3: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

  [DistributionPoint:

     [URIName: http://crl.godaddy.com/gdroot-g2.crl]

]]

#5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

  [CertificatePolicyId: [2.5.29.32.0]

[PolicyQualifierInfo: [

  qualifierID: 1.3.6.1.5.5.7.2.1

  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.

0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo

0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]

]

#6: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#7: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..

0010: B4 2C 80 CE                                        .,..

]

]

*******************************************

*******************************************

Alias name: intermediate

Creation date: Nov 23, 2021

Entry type: trustedCertEntry

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 0

Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038

Certificate fingerprints:

         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B

         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

*******************************************

*******************************************

Certificate[1]:

Owner: CN=ebsprodapp.areefdba.com.sa

Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 8e498f4d9946440b

Valid from: Tue Nov 23 09:37:41 AST 2021 until: Fri Feb 04 14:52:27 AST 2022

Certificate fingerprints:

         SHA1: 67:AA:62:56:F2:45:A0:56:5B:32:79:E3:E9:E7:77:5E:1B:88:0C:DE

         SHA256: 10:91:53:E4:8A:6A:1A:63:30:FD:B5:B7:E1:BC:23:92:FC:CC:1E:C6:D7:31:1F:3E:D1:7F:E3:9F:4D:5B:E2:D0

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false

0000: 04 82 01 68 01 66 00 75   00 29 79 BE F0 9E 39 39  ...h.f.u.)y...99

0010: 21 F0 56 73 9F 63 A5 77   E5 BE 57 7D 9C 60 0A F8  !.Vs.c.w..W..`..

0020: F9 4D 5D 26 5C 25 5D C7   84 00 00 01 7D 4B 84 36  .M]&\%]......K.6

0030: DF 00 00 04 03 00 46 30   44 02 20 34 C7 7B DD 21  ......F0D. 4...!

0040: 5A 21 1B 7E 46 7D C2 EB   A5 86 4E B4 CF 7F 40 86  Z!..F.....N...@.

0050: E3 85 1A 8C 83 11 F5 9D   1C EE D8 02 20 6E 57 EC  ............ nW.

0060: A2 F7 15 A1 A3 CF 5A 35   25 1A F0 41 FE 28 BE D4  ......Z5%..A.(..

0070: 4B 89 E7 76 09 A5 27 62   B9 76 F4 51 AB 00 76 00  K..v..'b.v.Q..v.

0080: DF A5 5E AB 68 82 4F 1F   6C AD EE B8 5F 4E 3E 5A  ..^.h.O.l..._N>Z

0090: EA CD A2 12 A4 6A 5E 8E   3B 12 C0 20 44 5C 2A 73  .....j^.;.. D\*s

00A0: 00 00 01 7D 4B 84 38 40   00 00 04 03 00 47 30 45  ....K.8@.....G0E

00B0: 02 21 00 D6 31 BC 03 10   23 46 88 87 6D 27 7E 7B  .!..1...#F..m'..

00C0: 26 68 25 69 7A 7F 4F 5B   4C 63 B7 FA E9 8C 40 64  &h%iz.O[Lc....@d

00D0: 18 2C 6C 02 20 42 9D C0   66 CE FF 93 95 29 67 2B  .,l. B..f....)g+

00E0: 84 67 8B EA 21 D2 CE 38   6A 7B C6 AF CA D0 93 99  .g..!..8j.......

00F0: E8 8A E3 B6 B4 00 75 00   41 C8 CA B1 DF 22 46 4A  ......u.A...."FJ

0100: 10 C6 A1 3A 09 42 87 5E   4E 31 8B 1B 03 EB EB 4B  ...:.B.^N1.....K

0110: C7 68 F0 90 62 96 06 F6   00 00 01 7D 4B 84 38 C9  .h..b.......K.8.

0120: 00 00 04 03 00 46 30 44   02 20 6F 29 22 13 49 D4  .....F0D. o)".I.

0130: CB AB E1 06 A1 AA 96 99   7A DF 32 80 00 8D 68 93  ........z.2...h.

0140: 09 85 C4 6C 06 3A AF 96   92 35 02 20 30 31 41 55  ...l.:...5. 01AU

0150: 71 3B 54 C5 12 6B 9F DA   99 FB FB BC 7A 2D F3 32  q;T..k......z-.2

0160: 25 48 F1 1C 2E 20 46 DE   0C 58 6E 93              %H... F..Xn.

#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

  [

   accessMethod: ocsp

   accessLocation: URIName: http://ocsp.godaddy.com/

,

   accessMethod: caIssuers

   accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt

]

]

#3: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..

0010: B4 2C 80 CE                                        .,..

]

]

#4: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:false

  PathLen: undefined

]

#5: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

  [DistributionPoint:

     [URIName: http://crl.godaddy.com/gdig2s1-3528.crl]

]]

#6: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

  [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]

[PolicyQualifierInfo: [

  qualifierID: 1.3.6.1.5.5.7.2.1

  qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69  .+http://certifi

0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F  cates.godaddy.co

0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/

]]  ]

  [CertificatePolicyId: [2.23.140.1.2.1]

[]  ]

]

#7: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

  serverAuth

  clientAuth

]

#8: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  DigitalSignature

  Key_Encipherment

]

#9: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  DNSName: ebsprodapp.areefdba.com.sa

  DNSName: www.ebsprodapp.areefdba.com.sa

]

#10: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.

0010: 6A 74 1A 65                                        jt.e

]

]

Certificate[2]:

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 7

Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031

Certificate fingerprints:

         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8

         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

  [

   accessMethod: ocsp

   accessLocation: URIName: http://ocsp.godaddy.com/

]

]

#2: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

#3: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

  [DistributionPoint:

     [URIName: http://crl.godaddy.com/gdroot-g2.crl]

]]

#5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

  [CertificatePolicyId: [2.5.29.32.0]

[PolicyQualifierInfo: [

  qualifierID: 1.3.6.1.5.5.7.2.1

  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.

0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo

0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]

]

#6: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#7: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..

0010: B4 2C 80 CE                                        .,..

]

]

Certificate[3]:

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Serial number: 0

Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038

Certificate fingerprints:

         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B

         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:2147483647

]

#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .

0010: 94 DA 0F DE                                        ....

]

]

*******************************************

*******************************************

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

7. Create Private Key for the certificates and upload in OCI Load Balancer:

[applmgr@ebsprodapp3 keystores]$ keytool -importkeystore -srckeystore keystore.jks -srcstorepass welcome1 -srckeypass welcome1 -srcalias prod_prv_cert -destalias prod_prv_cert -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass welcome1 -destkeypass welcome1

Importing keystore keystore.jks to keystore.p12...

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 88

-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip

-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:25 keystore.jks_bkp2

-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt

-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:03 keystore.jks

-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:11 keystore.jks_bkp3

-rw-r--r--. 1 applmgr oinstall 6391 Nov 23 11:16 keystore.p12

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out private_key1.pem

Enter Import Password: welcome1

MAC verified OK

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -inkey private_key1.pem -in 8e498f4d9946440b.crt -export -out aljom_pfx.pfx

Enter Export Password: welcome1

Verifying - Enter Export Password: welcome1

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$

[applmgr@ebsprodapp3 keystores]$ ls -ltr

total 104

-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem

-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt

-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1

-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr

-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip

-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:25 keystore.jks_bkp2

-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt

-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:03 keystore.jks

-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:11 keystore.jks_bkp3

-rw-r--r--. 1 applmgr oinstall 6391 Nov 23 11:16 keystore.p12

-rw-r--r--. 1 applmgr oinstall 1854 Nov 23 11:19 private_key1.pem

-rw-r--r--. 1 applmgr oinstall 3341 Nov 23 11:19 aljom_pfx.pfx

[applmgr@ebsprodapp3 keystores]$

Add new certificate's and Private Key to OCI loadbalancer in one upload

1. Attach Actual Hostname certificate downloaded from GoDaddy.

2. Attach GoDaddy Root Certifcate.

3. Attach generated Private Key.

4. Modify Listener Parameters -> Edit -> Certificate Name (select created certifcate)

Thanks for Reading

Regards,

Mohammed Areefuddin.

Suggested Topics :

Linux	DATABASE	RMAN	RAC	EBS
5.7 Install	DATABASE Install		11201 Install	R1226 Install
Open Filer Instl	Active DataGaurd	Rman DataGuard	12102 RAC INSTAL	R1229 M7 Clone
DNS in Linux 7	WIN-LINUX MIGRATE	RMAN DB CLONE	RAC DataGuard	Pluggable DB Clone
lpadmin cups	ASMCMD ASM Migrt	RMAN ASM Migrt	RAC DB Clone	appsutil for DB
	11204 M-Upgrade		RAC - RAC Clone	JDK JRE upgrade
	12102 M-Upgrade		12C-19C RAC UPGRADE	Add EBS Node
	Flashback DB			ADOP in R12.2.9
				12102 EBS UPGRADE
Linux Basics	DATABASE Basics	RMAN Basics	RAC Basic	EBS Basics