Monday, October 14, 2013

Weblogic Certificate Error (FATAL Alert:BAD_CERTIFICATE)

I recently configured weblogic to work with a GoDaddy certificate and started getting the following error.

Error: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received

The solution was to add the following startup option to weblogic.    



This error is caused when the encryption strength used to create the cert is lower than the version of java you are using to run Weblogic is expecting. 

Installing Certificate in Weblogic Keystore

If you do not have the certificate complete the following steps.
1) Open chrome (You can do this in IE or FireFox too but I just have the steps for chrome)
2) Go to the secure website your service needs to connect to.
          a.  Right click on the lock on the upper left hand side
          b.    Left click on the connections tab
          c.    Select View Certificates

          d. Select the Details tab

          e. Select Copy to file.  This will bring up the Certificate Export Wizzard.
                                                               i.      Select Next
                                                             ii.      Select DER Encoded 

          f. Select a file to hold the certificate. 

3) Get intermediary Cert (Reseller Cert).  
          a. Right click on the lock on the upper left hand side
          b. Left click on the connections tab
          c. Select View Certificates
          d. Select Certification Path tab
          e. Select the intermediary cert

         f. This will bring up a certificate window for the intermediary certificate.  Follow steps 3d-f to save this certificate

4) If the Root cert is not already installed, repeat step 3 for the root.
5) You now need to save the certificates in a keystore that will be used by Weblogic
          a. Go to the java/bin directory that is being used by weblogic.  We will use the keytool application to add the certificates.
          b. Find the keystores used by Weblogic.  By default you can use the keystores in $MiddlewareHome/wlserver_10.3/server/lib
          c. List the contents of the keystore by using the keytool –list command.  You will need to supply the keystore location.  You will also need to know the keystore password.  If you use DemoTrust.jks the default password is "DemoTrustKeyStorePassPhrase"
./keytool -list -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

           d. Execute the keytool – import command to import the certs.  Note: you will need to supply an alias, the location to the cert file and the location of the keystore and you will need to execute this command twice to import both the site cert and the intermediary cert.

keytool -importcert -file /media/sf_Temp/Booking/BookingCom.cer -alias bookingCom -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

Go Daddy (Note:  There is a new param)
keytool -trustcacerts -importcert -alias godaddy -file /tmp/GoDaddyInt.cer -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks  -storepass DemoTrustKeyStorePassPhrase