Installing an SSL Certificate on Oracle WebLogic
Michelle RobertsShare
Oracle WebLogic separates SSL Certificate configuration into two halves that other platforms blend together. The identity keystore holds your SSL Certificate and Private Key, while the trust configuration decides which Certificate Authority (CA) chains the server believes. Keeping the two roles distinct makes every screen in the Administration Console easier to read.
Building the Identity Keystore
WebLogic accepts standard Java keystores, so the keystore is built with keytool or assembled directly from existing files with OpenSSL. When the SSL Certificate, Private Key, and ca-bundle already exist as files, one command packages them.
openssl pkcs12 -export -inkey yourdomain.key -in yourdomain.crt -certfile yourdomain.ca-bundle -name yourdomain -out identity.p12
The name option sets the alias that WebLogic will reference later, and the export password protects the keystore. Place the file somewhere readable by the server user, such as the domain configuration directory.
Your issued SSL Certificate and the ca-bundle of Intermediate Certificates remain available in the tracking system whenever needed. View Our Tracking & SSL Management 🔗
Configuring Keystores in the Administration Console
Log in to the Administration Console, navigate to Environment and then Servers, and select the server being secured. On the Keystores tab, click Change and choose Custom Identity and Java Standard Trust, which uses your keystore for identity while trusting the standard CA set that ships with Java.
Enter the path to the identity keystore, set the type to PKCS12, and provide the passphrase. Java Standard Trust typically needs only its default passphrase of changeit unless your environment altered it. Save the page.
Configuring the SSL Identity
Move to the SSL tab of the same server. Set the identity alias to the name chosen during keystore creation, provide the Private Key passphrase, and save.
Then open the General tab for the server, tick SSL Listen Port Enabled, set the port, conventionally 7002 on WebLogic, and save. Activate the changes if your domain runs in production mode, then restart the server so the listener starts with the new identity.
Note : Production WebLogic frequently sits behind a load balancer or web tier that terminates HTTPS in front of it. When that is the architecture, the SSL Certificate belongs on the front tier, and WebLogic only needs its own identity when the internal leg is also encrypted.
Wherever the SSL Certificate ends up living, verification looks the same.
Verifying the Installation
Connect to the server on its SSL listen port and confirm the SSL Certificate details in the browser. Then run an external scan to confirm the chain reaches fresh clients complete, which validates that the ca-bundle made it into the identity keystore. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗
Troubleshooting Common Installation Problems
A startup failure reporting the identity alias cannot be found means the alias on the SSL tab does not match the name inside the keystore. List the keystore with keytool to confirm the exact alias and correct the console entry.
An identity failure reporting a key and SSL Certificate mismatch means the keystore was assembled from files belonging to different requests, typically after a Certificate Signing Request (CSR) was regenerated. A reissue against the current CSR resolves it. Learn About Reissuing Your SSL Certificate 🔗
Chain warnings on strict clients mean the ca-bundle was left out of the keystore assembly. Rebuild the keystore with the certfile option included and restart. Learn About Intermediate Certificates 🔗
Professional Installation Assistance
WebLogic domains spanning managed servers, clusters, and node managers multiply the places identity must be configured consistently.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
