Home » Java » java – Weblogic Import SSL .PFX File via Keytool-Exceptionshub

java – Weblogic Import SSL .PFX File via Keytool-Exceptionshub

Posted by: admin February 25, 2020 Leave a comment

Questions:

Recently our company is moving from LDAP to LDAPS.

We have an application (OBIEE) that runs on Weblogic with Unix as the OS. The instructions I have been provided indicate to use the java keytool command to import certificates.

Our administrator sent me a *.pfx file to import into our server. After some googling it looks like a *.pfx file can contain a few certificates within.

I figured out how to extract the certificates, but now my question is if I need to import the certificate can I use keytool to import a *.pfx file?

From the examples I have seen it doesnt sound like it can, and thus led me to extract the individual certificates. But then this leads me to my second question which is

If I have more then one certificate extracted from the *.pfx do I import ALL the certificates? Or just the root?

Not familiar with this type of thing, and any advice would be much appreciated.

How to&Answers:

*.pfx is similar to other formats e.g. *.cert or *.crt except that it contains the private key as well (which normally as a client of AD/LDAP server you don’t need it unless you want your application to authenticate itself against AD server given this private key was generated for your application).

So you don’t need to import all the certificates, only the server certificate so that your application can trust the AD/LDAP server.

  1. Extract the certificate, you can do so with OpenSSL tool as follow:
openssl pkcs12 -in myfile.pfx -out mycerts.crt -nokeys -clcerts
  1. Convert it from *.crt to *.cer
openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer
  1. Import the *.cer file into your JRE cacerts Keystore file.
keytool -import -trustcacerts -alias ldap -file mycerts.cer -keystore /paht/to/your/jre/lib/security/cacerts

Note: You can probably skip step 2 and import the *.crt file format directly to your Keystore cacerts file.