Renewing the default-keystore.jks certificate
In fusion applications under each and every domain a key store is located and know as default-key store .jks
which hold the two certificates in it for that particular domain
[1] orakey
[2] webcenter_spaces_ws
Check whether this certificats are expaired and if expaired then we need to renew with the new certificate
To Check the status of the certificates we can use key tool a command line utility which helps us to
Syntax : Key tool -list -v -key store < key store_name>
when it is prompting the password enter the key store password to display the certificates in the key store
Step 1
Check the status of the certificates from the keystore
[oracle@fah fmwconfig]$ keytool -list -v -keystore default-keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: orakey
Creation date: Mar 5, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=service, DC=domain_name, DC=com
Issuer: CN=service, DC=domain_name, DC=com
Serial number: 4f5430e3
Valid from: Mon Mar 05 07:20:03 GST 2012 until: Sat Sep 01 07:20:03 GST 2012
Certificate fingerprints:
MD5: A5:96:92:BA:16:03:B1:6D:60:F0:35:2F:CB:BC:65:B5
SHA1: 3F:10:5F:A1:17:2A:69:23:2F:E3:9E:A7:C6:B6:99:AB:92:9E:8D:EA
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Alias name: webcenter_spaces_ws
Creation date: Mar 5, 2012
Entry type: trustedCertEntry
Owner: CN=service, DC=domain_name, DC=com
Issuer: CN=service, DC=domain_name, DC=com
Serial number: 4f5430e3
Valid from: Mon Mar 05 07:20:03 GST 2012 until: Sat Sep 01 07:20:03 GST 2012
Certificate fingerprints:
MD5: A5:96:92:BA:16:03:B1:6D:60:F0:35:2F:CB:BC:65:B5
SHA1: 3F:10:5F:A1:17:2A:69:23:2F:E3:9E:A7:C6:B6:99:AB:92:9E:8D:EA
Signature algorithm name: SHA1withRSA
Version: 3
which hold the two certificates in it for that particular domain
[1] orakey
[2] webcenter_spaces_ws
Check whether this certificats are expaired and if expaired then we need to renew with the new certificate
To Check the status of the certificates we can use key tool a command line utility which helps us to
Syntax : Key tool -list -v -key store < key store_name>
when it is prompting the password enter the key store password to display the certificates in the key store
Step 1
Check the status of the certificates from the keystore
[oracle@fah fmwconfig]$ keytool -list -v -keystore default-keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: orakey
Creation date: Mar 5, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=service, DC=domain_name, DC=com
Issuer: CN=service, DC=domain_name, DC=com
Serial number: 4f5430e3
Valid from: Mon Mar 05 07:20:03 GST 2012 until: Sat Sep 01 07:20:03 GST 2012
Certificate fingerprints:
MD5: A5:96:92:BA:16:03:B1:6D:60:F0:35:2F:CB:BC:65:B5
SHA1: 3F:10:5F:A1:17:2A:69:23:2F:E3:9E:A7:C6:B6:99:AB:92:9E:8D:EA
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Alias name: webcenter_spaces_ws
Creation date: Mar 5, 2012
Entry type: trustedCertEntry
Owner: CN=service, DC=domain_name, DC=com
Issuer: CN=service, DC=domain_name, DC=com
Serial number: 4f5430e3
Valid from: Mon Mar 05 07:20:03 GST 2012 until: Sat Sep 01 07:20:03 GST 2012
Certificate fingerprints:
MD5: A5:96:92:BA:16:03:B1:6D:60:F0:35:2F:CB:BC:65:B5
SHA1: 3F:10:5F:A1:17:2A:69:23:2F:E3:9E:A7:C6:B6:99:AB:92:9E:8D:EA
Signature algorithm name: SHA1withRSA
Version: 3
check all the domains in the fusion applications to verify the default key store certificate is expired for all the domains the key-store will be located under the fmwconfig directory in each domain
In the above example the certificate is expired on the sep01 so we need to renew the new certificate
Step 2
To create the new certificate we need to use the keytool command and before creating the new keystore backup the current keystore
check the key tool
[oracle@fah ~]$ which keytool
/u01/oracle/fa/products/fusionapps/jdk6/bin/keytool
Create a new certificate in the default-key store
SYNTAX :keytool -genkey -keyakgRSA -alias <alias_name -keystore <keystorename> -storepass <password > validity < nof of validity of certificate in days> keysize <size of the key> "cn=service,dc<domain_name>,dc<com"
genkey -used to generate the new key
keyalgRSA we are using the rsa algorithm to generate the private key
keystore we need to specify the name for the key store
storepass password for the keystoree
keysize size of the key from 1024 to 4096
validity No of days the certificate will be valid [you have to specify the value in days]
dname your domain name
[oracle@fah]$ keytool -genkey -keyalg RSA -alias orakey -keystore default-keystore.jks -storepass <password>-validity 3560 -keysize 2048 -dname "cn=service,dc=<domain_name>,dc=com"
Enter key password for <orakey>
(RETURN if same as keystore password):
In the above example the certificate is expired on the sep01 so we need to renew the new certificate
Step 2
To create the new certificate we need to use the keytool command and before creating the new keystore backup the current keystore
check the key tool
[oracle@fah ~]$ which keytool
/u01/oracle/fa/products/fusionapps/jdk6/bin/keytool
Create a new certificate in the default-key store
SYNTAX :keytool -genkey -keyakgRSA -alias <alias_name -keystore <keystorename> -storepass <password > validity < nof of validity of certificate in days> keysize <size of the key> "cn=service,dc<domain_name>,dc<com"
genkey -used to generate the new key
keyalgRSA we are using the rsa algorithm to generate the private key
keystore we need to specify the name for the key store
storepass password for the keystoree
keysize size of the key from 1024 to 4096
validity No of days the certificate will be valid [you have to specify the value in days]
dname your domain name
[oracle@fah]$ keytool -genkey -keyalg RSA -alias orakey -keystore default-keystore.jks -storepass <password>-validity 3560 -keysize 2048 -dname "cn=service,dc=<domain_name>,dc=com"
Enter key password for <orakey>
(RETURN if same as keystore password):
if we need to keep the same password for the key store and the certificate then pres enter rather if we need to provide the new password for the cert we can give the new password
Step 3
List the certificates inside the key-store when the key store was generated it will be generated with the single cert
[oracle@fah]$ keytool -list -v -keystore <keystore_name>-storepass <password>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: orakey
Creation date: Oct 25, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=service, DC=orasiserp, DC="com
"
Issuer: CN=service, DC=orasiserp, DC="com
"
Serial number: 50886309
Valid from: Thu Oct 25 01:52:09 GST 2012 until: Mon Jul 25 01:52:09 GST 2022
Certificate fingerprints:
MD5: 61:36:FB:D6:8D:A8:54:4D:DD:B6:CF:AE:2A:D1:03:22
SHA1: E8:78:CD:E3:21:91:9D:8B:9C:ED:B3:A6:55:E2:59:57:BA:60:86:05
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Step 4
Once the new keystore with the certificate is created then we need to add the second certificate in the keystore
TO create a new certificate
SYNTAX: keytool -export -alias orakey -file <file_name>-keystore <name of the keystore> -storepass<password>
file :where the new certificate will be created will be ending with the .cer
keystore :name of the keystore [default-keystore.jks]
[oracle@fah]$ keytool -export -alias orakey -file webcenter_spaces_ws.cer -keystore default-keystore.jks -storepass <password>
Certificate stored in file <webcenter_spaces_ws.cer>
Now a new certificate file is generated at the location where the keytool command had been executed
check for the new certificate file
[oracle@fah]$ ll webcenter*
-rw-r--r-- 1 oracle oinstall 774 Oct 28 13:19 webcenter_spaces_ws.cer
Step 5
Add the new certificate to the default keystore
SYNTAX: keytool -import -alais <certificate_name> -file <cert_file_name> -keystore<keystore name> -storepass<password>
[oracle@faht]$ keytool -import -alias webcenter_spaces_ws -file webcenter_spaces_ws.cer -keystore default-keystore.jks -storepass <password>
Certificate already exists in keystore under alias <orakey>
Do you still want to add it? [no]: yes
Certificate was added to keystore
Enter yes when it is prompting.. because we have already another certificate in the default key store
Step 6
Now check the keystore and you will find try entries
[oracle@fah] keytool -list -v -keystore default-keystore.jks -storepass <passowrd>
Follow this steps in all the default-keystore which is located under the fmwconfig Directory ...
Once the new keystore with the certificate is created then we need to add the second certificate in the keystore
TO create a new certificate
SYNTAX: keytool -export -alias orakey -file <file_name>-keystore <name of the keystore> -storepass<password>
file :where the new certificate will be created will be ending with the .cer
keystore :name of the keystore [default-keystore.jks]
[oracle@fah]$ keytool -export -alias orakey -file webcenter_spaces_ws.cer -keystore default-keystore.jks -storepass <password>
Certificate stored in file <webcenter_spaces_ws.cer>
Now a new certificate file is generated at the location where the keytool command had been executed
check for the new certificate file
[oracle@fah]$ ll webcenter*
-rw-r--r-- 1 oracle oinstall 774 Oct 28 13:19 webcenter_spaces_ws.cer
Step 5
Add the new certificate to the default keystore
SYNTAX: keytool -import -alais <certificate_name> -file <cert_file_name> -keystore<keystore name> -storepass<password>
[oracle@faht]$ keytool -import -alias webcenter_spaces_ws -file webcenter_spaces_ws.cer -keystore default-keystore.jks -storepass <password>
Certificate already exists in keystore under alias <orakey>
Do you still want to add it? [no]: yes
Certificate was added to keystore
Enter yes when it is prompting.. because we have already another certificate in the default key store
Step 6
Now check the keystore and you will find try entries
[oracle@fah] keytool -list -v -keystore default-keystore.jks -storepass <passowrd>
Follow this steps in all the default-keystore which is located under the fmwconfig Directory ...
No comments:
Post a Comment