Import Certificate into Identity Store

3.4.3 Import Certificate into Identity Store

This topic provides information to import the certificate into identify store.

Store the certificate obtained from the CA in the previous step, in a file, preferably in PEM format. Other formats like the p7b file format would require conversion to the PEM format. Details on performing the conversion are not listed here.

Note:

Refer to the Oracle WebLogic Server documentation on Securing Oracle WebLogic Server for details on converting a Microsoft p7b file to the PEM format.

The command to be executed for importing a certificate into the identity store depend on whether the trust store chosen (Refer to section Choose the Identity and Trust Stores). It is highly recommended to verify the trust path when importing a certificate into the identity store. The commands provided below assume the use of the Java Standard Trust store.

Import the public certificate into the keystore using the private key alias. Then do the actual import of the certificate:

Sample command:

keytool -importcert -v -alias <alias_name> -file
 <consolidate_certs_file> -keystore <keystore path> -keypass <Password>
 -storepass <Password>

Sample command with values:

keytool -importcert -v -alias whf00pfl.in.example.com -file
 consolidate_cert.pem -keystore whf00pfl_keystore.jks -keypass
 Oracle@123 -storepass Oracle@123

To confirm your keystore is created correctly, you can look at the keystore using the following command:
Sample command:
```
keytool -list -v -keystore <keystore path> -storepass <Password>
```
Sample command with values:
```
keytool -list -v -keystore whf00pfl_keystore.jks -storepass Oracle@123
```

Import the Intermediate CA Certificate

Most Certificate Authorities do not use the root CA certificates to issue identity certificates for use by customers. Instead, Intermediate CAs issue identity certificates in response to the submitted CSRs.

If the Intermediate CA certificate is absent in the Java Standard Trust store, the trust path for the certificate will be incomplete for the certificate, resulting in warnings issued by WebLogic Server during runtime. To avoid this, the intermediate CA certificate should be imported into the identity keystore. Although the intermediate CA certificate can be imported into the Java Standard Trust store, this is not recommended unless the intermediate CA can be trusted. The following command must be executed to import the intermediate CA certificate into the keystore.

keytool -importcert -alias alias -file cert_file -trustcacerts -keystore keystore

Table 3-6 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair. Specify the alias of the key pair used to create the CSR in the earlier step.
`certreq_file`	It is the location of the file containing the intermediate CA certificate in a PKCS#7 format (PEM or DER file).
`keystore`	It is the location of the keystore containing the public and private key pair.

The trustcacerts flag is used to consider other certificates (higher intermediaries and the root CA) in the chain of trust. If no chain of trust is established during verification, the certificate will be displayed and one would be prompted to verify it. It is recommended that due diligence be observed, when the prompt is displayed to verify a certificate when a chain of trust is absent.

The sample execution command is listed below:

D:\Sample\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool - importcert -alias verisigntrialintermediateca -file
D:\keystores\VerisignIntermediateCA.cer -trustcacerts -keystore D:\keystoreworkarea\AdminOBSCFKeyStore.jks
Enter keystore password:<Enter the password used to access the keystore>
Certificate was added to keystore

Import the Identity Certificate

The following command should be executed to import the identity certificate into the keystore.

keytool -importcert -alias alias -file cert_file -trustcacerts -keystore keystore

Table 3-7 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair. Specify the alias of the key pair used to create the CSR in the earlier step.
`certreq_file`	It is the location of the file containing the PKCS#7 formatted reply from the CA, containing the signed certificate.
`keystore`	It is the location of the keystore containing the public and private key pair.

The trustcacerts flag is used to consider other certificates (intermediate CAs and the root CA) in the chain of trust. If no chain of trust is established during verification, the certificate will be displayed and one would be prompted to verify it. It is recommended that due diligence be observed, when the prompt is displayed to verify a certificate when a chain of trust is absent.

The sample execution command is listed below:

D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool - importcert -alias cvrhp0729 -file
D:\keystores\cvrhp0729.cer - trustcacerts -keystore
D:\keystoreworkarea\AdminOBSCFKeyStore.jks
Enter keystore password: <Enter the password used to access the keystore>
Enter key password for <cvrhp0729>: <Enter the password used to access the private key>
Certificate reply was installed in keystore

The previous set of commands assumed the presence of the appropriate root CA certificate (in the chain of trust) in the Java Standard Trust store, i.e. in the cacerts file. If the CA issuing the identity certificate (for the WebLogic Server) does not have the root CA certificate in the Java Standard Trust store, one can opt to import the root CA certificate into cacerts, or into the identity store, depending on factors including trustworthiness of the CA, necessity of transporting the trust store across machine, among others.

Parent topic: Export Private Key as Certificate