Tuesday, November 23, 2021

ssl certificate on OCI load balancer


Hi, In this topic we go through  implement SSL for Load Balancer on OCI for EBS R12.2.9
to achieve  this we need to ssl certificate from CA and private key
List of Topics (Linux, Database, RAC, EBS)

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

Major Steps:
- Create Keystores
- Generate csr
- Purchase certificate from CA
- import (Root,Server,intermediate) certifcate to keystores
- generate private key
- upload on load balancer

================================================================================================================
Steps for SSL Configure for Private Load balancer less detailed: 

1. Create keystore.jks with information:
[applmgr@ebsprodapp3 ~]$ $ADJVAPRG -version
java version "1.7.0_321"
Java(TM) SE Runtime Environment (build 1.7.0_321-b08)
Java HotSpot(TM) Server VM (build 24.321-b08, mixed mode)
[applmgr@ebsprodapp3 ~]$ 
[applmgr@ebsprodapp3 ~]$ export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
[applmgr@ebsprodapp3 ~]$ . $FMW_HOME/user_projects/domains/EBS_domain/bin/setDomainEnv.sh
[applmgr@ebsprodapp3 EBS_domain]$ java weblogic.version

WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050
[applmgr@ebsprodapp3 ~]$
[applmgr@ebsprodapp3 ~]$ cd $FMW_HOME/user_projects/domains/EBS_domain/bin
[applmgr@ebsprodapp3 bin]$ ./setDomainEnv.sh
[applmgr@ebsprodapp3 bin]$ mkdir -p $FMW_HOME/keystores
[applmgr@ebsprodapp3 bin]$ cd $FMW_HOME
[applmgr@ebsprodapp3 FMW_Home]$ chmod -R 777 keystores
[applmgr@ebsprodapp3 FMW_Home]$ cd keystores/

[applmgr@ebsprodapp3 keystores]$ keytool -genkey -alias prod_prv_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=ebsprodapp.areefdba.com.sa,O=Areef DBA Company,OU=Information Technology,L=Riyadh,ST=Riyadh,C=Saudi Arabia" -keypass welcome1 -keystore keystore.jks -storepass welcome1

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 8
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1
[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp1
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 16
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
[applmgr@ebsprodapp3 keystores]$

2. Create CRS file from Keystore information:
[applmgr@ebsprodapp3 keystores]$ keytool -certreq -v -alias prod_prv_cert -file ebsprodapp.csr -sigalg SHA256withRSA -keypass welcome1 -storepass welcome1 -keystore keystore.jks
Certification request stored in file <ebsprodapp.csr>
Submit this to your CA

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 24
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
[applmgr@ebsprodapp3 keystores]$

3. Submit the generated .csr file to any CA(godaddy) and get certificates:
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 32
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
[applmgr@ebsprodapp3 keystores]$ unzip ebsprodapp.areefdba.com.sa_(New\).zip
Archive:  ebsprodapp.areefdba.com.sa_(New).zip
  inflating: gd_bundle-g2-g1.crt
  inflating: 8e498f4d9946440b.crt
  inflating: 8e498f4d9946440b.pem
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 56
-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip
[applmgr@ebsprodapp3 keystores]$

4. import the root certificate downloaded from GoDaddy:
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file gd_bundle-g2-g1.crt -keystore keystore.jks -storepass welcome1
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file gd_bundle-g2-g1.crt -keystore keystore.jks -storepass welcome1
Certificate was added to keystore
[Storing keystore.jks]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp2

verify information in keystore.jks you should see rootcacert
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

5. now import Actual certificate of hostname import gives error as GoDaddy root intermediate certificate is missing:
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3662)
        at sun.security.tools.KeyTool.installReply(KeyTool.java:2847)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:1089)
        at sun.security.tools.KeyTool.run(KeyTool.java:374)
        at sun.security.tools.KeyTool.main(KeyTool.java:367
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$

Download gdroot-g2.crt from godaddy repository:
https://certs.godaddy.com/repository
[applmgr@ebsprodapp3 keystores]$ cp /u02/ftp//gdroot-g2.crt .
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr gdroot-g2.crt
total 72
-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ keytool -importcert -alias intermediate -file gdroot-g2.crt -keystore keystore.jks
Enter keystore password: welcome1

Trust this certificate? [no]:  yes
Certificate was added to keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

6. Now import actual certificate: 
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1
Certificate reply was installed in keystore
[Storing keystore.jks]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp3

verify information in keystore.jks you should see actual certificate entries
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1

7. Create Private Key and pfx for the certificates and upload in OCI Load Balancer:
[applmgr@ebsprodapp3 keystores]$ keytool -importkeystore -srckeystore keystore.jks -srcstorepass welcome1 -srckeypass welcome1 -srcalias prod_prv_cert -destalias prod_prv_cert -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass welcome1 -destkeypass welcome1
Importing keystore keystore.jks to keystore.p12...
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 88
-rw-r--r--. 1 applmgr oinstall 6391 Nov 23 11:16 keystore.p12
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out private_key1.pem
Enter Import Password: welcome1
MAC verified OK
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -inkey private_key1.pem -in 8e498f4d9946440b.crt -export -out aljom_pfx.pfx
Enter Export Password: welcome1
Verifying - Enter Export Password: welcome1
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 104
-rw-r--r--. 1 applmgr oinstall 1854 Nov 23 11:19 private_key1.pem
-rw-r--r--. 1 applmgr oinstall 3341 Nov 23 11:19 aljom_pfx.pfx
[applmgr@ebsprodapp3 keystores]$


================================================================================================================
Steps for SSL Configure for Private Load balancer with full detailed outputs:

1. Create keystore.jks with information:   
[applmgr@ebsprodapp3 ~]$ $ADJVAPRG -version
java version "1.7.0_321"
Java(TM) SE Runtime Environment (build 1.7.0_321-b08)
Java HotSpot(TM) Server VM (build 24.321-b08, mixed mode)
[applmgr@ebsprodapp3 ~]$ 
[applmgr@ebsprodapp3 ~]$ 
[applmgr@ebsprodapp3 ~]$ export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
[applmgr@ebsprodapp3 ~]$ cd $FMW_HOME/user_projects/domains/EBS_domain/bin
[applmgr@ebsprodapp3 bin]$ ./setDomainEnv.sh
[applmgr@ebsprodapp3 bin]$ mkdir -p $FMW_HOME/keystores
[applmgr@ebsprodapp3 bin]$ cd $FMW_HOME
[applmgr@ebsprodapp3 FMW_Home]$ chmod -R 777 keystores
[applmgr@ebsprodapp3 FMW_Home]$ cd keystores/

[applmgr@ebsprodapp3 keystores]$ keytool -genkey -alias prod_prv_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=ebsprodapp.areefdba.com.sa,O=Areef DBA Company,OU=Information Technology,L=Riyadh,ST=Riyadh,C=Saudi Arabia" -keypass welcome1 -keystore keystore.jks -storepass welcome1

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 8
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: prod_prv_cert
Creation date: Nov 23, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia
Issuer: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia
Serial number: 700c4f2f
Valid from: Tue Nov 23 09:21:13 AST 2021 until: Mon Feb 21 09:21:13 AST 2022
Certificate fingerprints:
         SHA1: DE:D9:4A:1B:C8:47:AD:DC:9C:DF:97:CA:21:A0:B1:F8:05:4F:0D:02
         SHA256: 3C:8E:D1:DE:13:E5:F8:B2:F2:71:54:0E:3B:D7:B4:55:79:29:48:02:0A:7A:3E:00:B9:9E:14:D3:54:74:47:A0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.
0010: 6A 74 1A 65                                        jt.e
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp1
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 16
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
[applmgr@ebsprodapp3 keystores]$

2. Create CRS file from Keystore information:
[applmgr@ebsprodapp3 keystores]$ keytool -certreq -v -alias prod_prv_cert -file ebsprodapp.csr -sigalg SHA256withRSA -keypass welcome1 -storepass welcome1 -keystore keystore.jks
Certification request stored in file <ebsprodapp.csr>
Submit this to your CA

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 24
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
[applmgr@ebsprodapp3 keystores]$

3. Submit the generated .csr file to any CA(godaddy) and get certificates:
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 32
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip
[applmgr@ebsprodapp3 keystores]$ unzip ebsprodapp.areefdba.com.sa_\(New\).zip
Archive:  ebsprodapp.areefdba.com.sa_(New).zip
  inflating: gd_bundle-g2-g1.crt
  inflating: 8e498f4d9946440b.crt
  inflating: 8e498f4d9946440b.pem
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 56
-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:21 keystore.jks
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip
[applmgr@ebsprodapp3 keystores]$

4. import the root certificate downloaded from GoDaddy:
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file gd_bundle-g2-g1.crt -keystore keystore.jks -storepass welcome1
Certificate was added to keystore
[Storing keystore.jks]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$ 
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp2

verify information in keystore.jks you should see rootcacert
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: rootcacert
Creation date: Nov 23, 2021
Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031
Certificate fingerprints:
         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdroot-g2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.
0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo
0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]



*******************************************
*******************************************


Alias name: prod_prv_cert
Creation date: Nov 23, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia
Issuer: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia
Serial number: 700c4f2f
Valid from: Tue Nov 23 09:21:13 AST 2021 until: Mon Feb 21 09:21:13 AST 2022
Certificate fingerprints:
         SHA1: DE:D9:4A:1B:C8:47:AD:DC:9C:DF:97:CA:21:A0:B1:F8:05:4F:0D:02
         SHA256: 3C:8E:D1:DE:13:E5:F8:B2:F2:71:54:0E:3B:D7:B4:55:79:29:48:02:0A:7A:3E:00:B9:9E:14:D3:54:74:47:A0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.
0010: 6A 74 1A 65                                        jt.e
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$

5. now import Actual certificate of hostname import gives error as GoDaddy root intermediate certificate is missing
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3662)
        at sun.security.tools.KeyTool.installReply(KeyTool.java:2847)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:1089)
        at sun.security.tools.KeyTool.run(KeyTool.java:374)
        at sun.security.tools.KeyTool.main(KeyTool.java:367
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$

Download gdroot-g2.crt from godaddy repository:
[applmgr@ebsprodapp3 keystores]$ cp /u02/ftp/gdroot-g2.crt .
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 72
-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip
-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:08 keystore.jks
-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:25 keystore.jks_bkp2
-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ keytool -importcert -alias intermediate -file gdroot-g2.crt -keystore keystore.jks
Enter keystore password: welcome1
Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 0
Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038
Certificate fingerprints:
         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: rootcacert
Creation date: Nov 23, 2021
Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031
Certificate fingerprints:
         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdroot-g2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.
0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo
0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]



*******************************************
*******************************************


Alias name: prod_prv_cert
Creation date: Nov 23, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia
Issuer: CN=ebsprodapp.areefdba.com.sa, O=Areef DBA Company, OU=Information Technology, L=Riyadh, ST=Riyadh, C=Saudi Arabia
Serial number: 700c4f2f
Valid from: Tue Nov 23 09:21:13 AST 2021 until: Mon Feb 21 09:21:13 AST 2022
Certificate fingerprints:
         SHA1: DE:D9:4A:1B:C8:47:AD:DC:9C:DF:97:CA:21:A0:B1:F8:05:4F:0D:02
         SHA256: 3C:8E:D1:DE:13:E5:F8:B2:F2:71:54:0E:3B:D7:B4:55:79:29:48:02:0A:7A:3E:00:B9:9E:14:D3:54:74:47:A0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.
0010: 6A 74 1A 65                                        jt.e
]
]



*******************************************
*******************************************


Alias name: intermediate
Creation date: Nov 23, 2021
Entry type: trustedCertEntry

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 0
Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038
Certificate fingerprints:
         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$

6. Now import actual certificate: 
[applmgr@ebsprodapp3 keystores]$ keytool -import -v -alias prod_prv_cert -file 8e498f4d9946440b.crt -keystore keystore.jks -keypass welcome1 -storepass welcome1
Certificate reply was installed in keystore
[Storing keystore.jks]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ cp keystore.jks keystore.jks_bkp3

verify information in keystore.jks you should see actual certificate entries
[applmgr@ebsprodapp3 keystores]$ keytool -list -v -keystore keystore.jks -storepass welcome1
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: rootcacert
Creation date: Nov 23, 2021
Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031
Certificate fingerprints:
         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdroot-g2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.
0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo
0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]



*******************************************
*******************************************


Alias name: intermediate
Creation date: Nov 23, 2021
Entry type: trustedCertEntry

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 0
Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038
Certificate fingerprints:
         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]



*******************************************
*******************************************


Certificate[1]:
Owner: CN=ebsprodapp.areefdba.com.sa
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 8e498f4d9946440b
Valid from: Tue Nov 23 09:37:41 AST 2021 until: Fri Feb 04 14:52:27 AST 2022
Certificate fingerprints:
         SHA1: 67:AA:62:56:F2:45:A0:56:5B:32:79:E3:E9:E7:77:5E:1B:88:0C:DE
         SHA256: 10:91:53:E4:8A:6A:1A:63:30:FD:B5:B7:E1:BC:23:92:FC:CC:1E:C6:D7:31:1F:3E:D1:7F:E3:9F:4D:5B:E2:D0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 82 01 68 01 66 00 75   00 29 79 BE F0 9E 39 39  ...h.f.u.)y...99
0010: 21 F0 56 73 9F 63 A5 77   E5 BE 57 7D 9C 60 0A F8  !.Vs.c.w..W..`..
0020: F9 4D 5D 26 5C 25 5D C7   84 00 00 01 7D 4B 84 36  .M]&\%]......K.6
0030: DF 00 00 04 03 00 46 30   44 02 20 34 C7 7B DD 21  ......F0D. 4...!
0040: 5A 21 1B 7E 46 7D C2 EB   A5 86 4E B4 CF 7F 40 86  Z!..F.....N...@.
0050: E3 85 1A 8C 83 11 F5 9D   1C EE D8 02 20 6E 57 EC  ............ nW.
0060: A2 F7 15 A1 A3 CF 5A 35   25 1A F0 41 FE 28 BE D4  ......Z5%..A.(..
0070: 4B 89 E7 76 09 A5 27 62   B9 76 F4 51 AB 00 76 00  K..v..'b.v.Q..v.
0080: DF A5 5E AB 68 82 4F 1F   6C AD EE B8 5F 4E 3E 5A  ..^.h.O.l..._N>Z
0090: EA CD A2 12 A4 6A 5E 8E   3B 12 C0 20 44 5C 2A 73  .....j^.;.. D\*s
00A0: 00 00 01 7D 4B 84 38 40   00 00 04 03 00 47 30 45  ....K.8@.....G0E
00B0: 02 21 00 D6 31 BC 03 10   23 46 88 87 6D 27 7E 7B  .!..1...#F..m'..
00C0: 26 68 25 69 7A 7F 4F 5B   4C 63 B7 FA E9 8C 40 64  &h%iz.O[Lc....@d
00D0: 18 2C 6C 02 20 42 9D C0   66 CE FF 93 95 29 67 2B  .,l. B..f....)g+
00E0: 84 67 8B EA 21 D2 CE 38   6A 7B C6 AF CA D0 93 99  .g..!..8j.......
00F0: E8 8A E3 B6 B4 00 75 00   41 C8 CA B1 DF 22 46 4A  ......u.A...."FJ
0100: 10 C6 A1 3A 09 42 87 5E   4E 31 8B 1B 03 EB EB 4B  ...:.B.^N1.....K
0110: C7 68 F0 90 62 96 06 F6   00 00 01 7D 4B 84 38 C9  .h..b.......K.8.
0120: 00 00 04 03 00 46 30 44   02 20 6F 29 22 13 49 D4  .....F0D. o)".I.
0130: CB AB E1 06 A1 AA 96 99   7A DF 32 80 00 8D 68 93  ........z.2...h.
0140: 09 85 C4 6C 06 3A AF 96   92 35 02 20 30 31 41 55  ...l.:...5. 01AU
0150: 71 3B 54 C5 12 6B 9F DA   99 FB FB BC 7A 2D F3 32  q;T..k......z-.2
0160: 25 48 F1 1C 2E 20 46 DE   0C 58 6E 93              %H... F..Xn.


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
,
   accessMethod: caIssuers
   accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdig2s1-3528.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69  .+http://certifi
0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F  cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: ebsprodapp.areefdba.com.sa
  DNSName: www.ebsprodapp.areefdba.com.sa
]

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F BB C8 DD 17 64 BC 50   3B FD 0B 9D 53 DF 62 BE  ?....d.P;...S.b.
0010: 6A 74 1A 65                                        jt.e
]
]

Certificate[2]:
Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 10:00:00 AST 2011 until: Sat May 03 10:00:00 AST 2031
Certificate fingerprints:
         SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
         SHA256: 97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdroot-g2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  .%https://certs.
0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo
0020: 73 69 74 6F 72 79 2F                               sitory/

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]

Certificate[3]:
Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 0
Valid from: Tue Sep 01 03:00:00 AST 2009 until: Fri Jan 01 02:59:59 AST 2038
Certificate fingerprints:
         SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
         SHA256: 45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :....g(.....An .
0010: 94 DA 0F DE                                        ....
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks  -destkeystore keystore.jks -deststoretype pkcs12".
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$

7. Create Private Key for the certificates and upload in OCI Load Balancer:
[applmgr@ebsprodapp3 keystores]$ keytool -importkeystore -srckeystore keystore.jks -srcstorepass welcome1 -srckeypass welcome1 -srcalias prod_prv_cert -destalias prod_prv_cert -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass welcome1 -destkeypass welcome1
Importing keystore keystore.jks to keystore.p12...
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 88
-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip
-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:25 keystore.jks_bkp2
-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt
-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:03 keystore.jks
-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:11 keystore.jks_bkp3
-rw-r--r--. 1 applmgr oinstall 6391 Nov 23 11:16 keystore.p12
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out private_key1.pem
Enter Import Password: welcome1
MAC verified OK
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ openssl pkcs12 -inkey private_key1.pem -in 8e498f4d9946440b.crt -export -out aljom_pfx.pfx
Enter Export Password: welcome1
Verifying - Enter Export Password: welcome1
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$
[applmgr@ebsprodapp3 keystores]$ ls -ltr
total 104
-rw-r--r--. 1 applmgr oinstall 4795 Nov 22 23:40 gd_bundle-g2-g1.crt
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.pem
-rw-r--r--. 1 applmgr oinstall 2411 Nov 22 23:40 8e498f4d9946440b.crt
-rw-r--r--. 1 applmgr oinstall 2372 Nov 23 09:22 keystore.jks_bkp1
-rw-r--r--. 1 applmgr oinstall 1165 Nov 23 09:23 ebsprodapp.csr
-rw-r--r--. 1 applmgr oinstall 6788 Nov 23 09:45 ebsprodapp.areefdba.com.sa_(New).zip
-rw-r--r--. 1 applmgr oinstall 3643 Nov 23 10:25 keystore.jks_bkp2
-rw-r--r--. 1 applmgr oinstall 1367 Nov 23 10:56 gdroot-g2.crt
-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:03 keystore.jks
-rw-r--r--. 1 applmgr oinstall 7602 Nov 23 11:11 keystore.jks_bkp3
-rw-r--r--. 1 applmgr oinstall 6391 Nov 23 11:16 keystore.p12
-rw-r--r--. 1 applmgr oinstall 1854 Nov 23 11:19 private_key1.pem
-rw-r--r--. 1 applmgr oinstall 3341 Nov 23 11:19 aljom_pfx.pfx
[applmgr@ebsprodapp3 keystores]$

Add new certificate's and Private Key to OCI loadbalancer in one upload
1. Attach Actual Hostname certificate downloaded from GoDaddy.
2. Attach GoDaddy Root Certifcate.
3. Attach generated Private Key.
4. Modify Listener Parameters -> Edit -> Certificate Name (select created certifcate)











Thanks for Reading


Regards,
Mohammed Areefuddin.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)