Geek Answers Handbook

Class 1 StartSSL certificate not accepted by browser (Weblogic 10.0.1)

I requested a class 1 certificate from StartSSL and installed it in Weblogic 10.0.1 (see screenshots).

WLS keystore configWLS SSL config

Browsers (Chrome and IE9 on Windows 7, IE8 on XPSP3) still give a certificate error (see screenshots).

certificate error 1certificate error 2

I think the StartSSL root certificate is available in several browsers (see here ). Please inform.

+7
source share
3 answers

StartSSL Class 1 certificates are signed by an intermediate CA, which is signed by the root StartCom CA. For your browser to trust this certificate, it must know the chain of trust before it already knows the root center.

The server needs to send a whole chain of trust to the browser (minus Root CA), so your browser can verify that your certificate is trusted.

For more information, see StartSSL Frequently Asked Questions .

+26
source

Found a problem. I imported the StartSSL certificate incorrectly in our keystore. In addition, I indicated "weblogic" as an alias in the Weblogic console, which is not a certificate, but a public / private key pair. I use Portecle to edit the keystore.

When I noticed that I was probably using the wrong alias, I changed it to a certificate alias. This led to a Weblogic error:

Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: No identity key/certificate entry was found under alias startssl-hostname in keystore keystore_StartSSL on server servername

In the end, I followed these steps to pack the certificate and private key into one PKCS # 12 key store. Then I imported this key store into our java store using Portecle:

  • Export the weblogic public / private key using Portecle as PKCS # 12 key store.

  • Retrieve the private key from this keystore using openssl:

    openssl pkcs12 -in weblogic.p12 -nocerts -out privatekey.pem

  • Put the certificate and private key as PKCS # 12 key store ( cert.p12 ) using openssl:

    openssl pkcs12 -export -in cert.cer -inkey privatekey.pem -out cert.p12 -name cert -CAfile ca.pem -caname root

  • Import the cert.p12 file into our java repository using Portecle, using "cert" as an alias.

  • Weblogic configuration has been changed to use the alias "cert" with the correct passphrase.

And it worked!

PS: I added a JCE policy of unlimited strength , since Portecle complained about this at some point.

+2
source

Typically, the trust store and the keystore will be separate, but this will not result in the error above.

If your browser does not trust CA, you will receive the above error. You need to add the root CA to your browser. You can check the certificates supported by your browser. For example, for IE → Tools → Internet Options → Content → Certificates → Trusted Root CA

Assuming you need to import this into one or two browsers, it doesn't really matter. But if you need to do this across the enterprise (which means 100 or 1000 browsers), you will need help from your desktop support team!

-one
source

More articles:


All Articles