Replace Demonstration CA Signed Certificates

Oracle highly recommends to use third-party Certificate Authority (CA) signed certificates or domain CA signed certificates when you deploy applications to a production environment. By default, any certificates created using the OPSS keystore service in the domain are signed using the demonstration CA.

Note:

These demonstration certificates should not be used in a production environment. The private key of the demonstration certificate is available to all installations of WebLogic Server, therefore each installation can generate a demonstration signed CA certificate using the same key. Hence, you cannot trust these certificates.

For more details, see here.

Replacing Demo CA Certificates With Domain CA Signed Certificates

A domain CA is a self-signed certificate that acts like a CA for a domain. Unlike a demonstration CA, the private key used in a domain CA certificate is unique to each domain, and provides more security.

You can create a domain CA certificate and replace all the demonstration CA certificates in a domain as described in Replacing Demo CA Certificates With Domain CA Signed Certificates.

Alternatively, you can run the helper script custom-keystore.sh available at ${WORKDIR}/custom-keystore to configure custom keystore for Oracle SOA Suite domains. For more details, refer README.

Replacing Demo CA Certificates With Third-Party CA Signed Certificates

A third-party CA validates identities and issues certificates. To get the certificate, you must create a Certificate Request and submit it to the CA. The CA will authenticate the certificate requestor and create a digital certificate based on the request. To replace demonstration certificates with third-party CA signed certificates, see Replacing Demo CA Certificates With Third-Party CA Signed Certificates and Configure SSL certificates.