Replace Demonstration CA Signed Certificates
Oracle highly recommends to use third-party Certificate Authority (CA) signed certificates or domain CA signed certificates when you deploy applications to a production environment. By default, any certificates created using the OPSS keystore service in the domain are signed using the demonstration CA.
Note:
These demonstration certificates should not be used in a production environment. The private key of the demonstration certificate is available to all installations of WebLogic Server, therefore each installation can generate a demonstration signed CA certificate using the same key. Hence, you cannot trust these certificates.For more details, see here.
Replacing Demo CA Certificates With Domain CA Signed Certificates
A domain CA is a self-signed certificate that acts like a CA for a domain. Unlike a demonstration CA, the private key used in a domain CA certificate is unique to each domain, and provides more security.
You can create a domain CA certificate and replace all the demonstration CA certificates in a domain as described in Replacing Demo CA Certificates With Domain CA Signed Certificates.
Alternatively, you can run the helper script
custom-keystore.sh available at
${WORKDIR}/custom-keystore to configure custom keystore for
Oracle SOA Suite domains. For more details, refer README.
Replacing Demo CA Certificates With Third-Party CA Signed Certificates
A third-party CA validates identities and issues certificates. To get the certificate, you must create a Certificate Request and submit it to the CA. The CA will authenticate the certificate requestor and create a digital certificate based on the request. To replace demonstration certificates with third-party CA signed certificates, see Replacing Demo CA Certificates With Third-Party CA Signed Certificates and Configure SSL certificates.