Convert Wallet Into Keystore (OHS to Weblogic SSL) - Verse 1

Recently I've been trying to migrate my SSL configuration from OHS (Oracle HTTP Server) to Weblogic Server. For information, OHS is using Wallet to store certificates for SSL authentication and at the other side, Weblogic using Keystore (Identity and Trusted Keystore). So, I need to convert my Wallet (PKCS12 format) into Keystore.

My certificates description :

• One Root CA (Root-CA)
• Two Intermediate CAs (inter1-CA and inter2-CA)
• A pair of certificate (public and private key) for Server
• inter1-CA issued by Root-CA
• inter2-CA issued by inter1-CA
• and a Wallet contain server certificate which issued by inter2-CA

Identity and Trust Keystore as Oracle documentation describes, Identity contains public and private key of the server and Trust contains trusted CA Certificates (mine is a chain: Root-CA, inter1CA and inter2-CA).

To complete this task I'm using this tools:

• Openssl
• Keytool
• Wallet Manager
• Class ImportKey which i got from http://www.agentbob.info/agentbob/79-AB.html (thanks for this helpful article)

More description:

• My certificates are in DER format
• Keytool only accept certificate in PEM format (hope I'm not wrong), so I have to convert it first before import it into the keystore
• Identity Keystore must fill with server public and private key, that's way I need ImportKey.class to do this task
• ImportKey class only accept DER format, so I have to convert it too using Openssl

So here it is, the steps:

IDENTITY KEYSTORE

SPLIT WALLET (PKCS12) INTO KEY AND CERT

openssl pkcs12 -nocerts -in wallet_server.p12 -out wallet_serverkey.pem -nodes

openssl pkcs12 -clcerts -nokeys -in wallet_server.p12 -out wallet_servercert.pem

openssl rsa -in wallet_serverkey.pem -out wallet_serverkey2.pem

CONVERT KEY AND CERT PEM FORMAT INTO DER FORMAT

openssl pkcs8 -topk8 -nocrypt -in wallet_serverkey2.pem -inform PEM -out wallet_serverkey.der -outform DER

openssl x509 -in wallet_servercert.pem -inform PEM -out wallet_servercert.der -outform DER

USING ImportKey.class TO IMPORT PRIVATE KEY INTO KEYSTORE

java ImportKey walletkey.der walletcert.der

RENAME KEYSTORE FILE keystore.importKey INTO identity_keystore.jks

CHANGE KEYSTORE PASSWORD importkey INTO somepass

keytool -keystore identity_keystore.jks -storepasswd

CHANGE CERTIFICATE PASSWORD importkey INTO somepass

keytool -keypasswd -keypass importkey -new somepass -alias importkey -keystore identity_keystore.jks

CHANGE ALIAS importkey INTO somekey

keytool -keystore identity_keystore.jks -keyclone -alias importkey -dest somekey

DELETE OLD ALIAS importkey

keytool -keystore identity_keystore.jks -delete -alias importkey 

TRUST KEYSTORE

USING WALLET MANAGER, EXPORT ALL CAs AND SAVE IT INTO YOUR LOCAL DISC

CONVERT CA CERTIFICATES DER TO PEM

openssl x509 -in Inter1-CA.cer -inform DER -out Inter1-CA.pem -outform PEM

openssl x509 -in Inter2-CA.cer -inform DER -out Inter2-CA.pem -outform PEM

openssl x509 -in Root-CA.cer -inform DER -out Root-CA.pem -outform PEM

CREATE TRUSTED CA - CERTIFICATE CHAIN KEYSTORE

keytool -import -trustcacerts -file Inter1-CA.pem -keystore trust_keystore.jks -alias inter1

keytool -import -trustcacerts -file Inter2-CA.pem -keystore trust_keystore.jks -alias inter2

keytool -import -trustcacerts -file Root-CA.pem -keystore trust_keystore.jks -alias root

That's it. Hope my notes helps.

By the way, there's a simple way to do the task, you can find it here.