StartSSL class 1 certificate not accepted by browser (Weblogic 10.0.1)

Asked 4/6, 2012 at 9:50 Answered 5/6, 2012 at 13:38

ssl weblogic ssl-certificate weblogic-10.x keytool

I have requested a class 1 certificate from StartSSL and installed it in Weblogic 10.0.1 (see screenshots).

WLS keystore config WLS SSL config

The browsers (Chrome & IE9 on Windows 7, IE8 on XPSP3) still give a certificate error (see screenshots).

certificate error 1 certificate error 2

I think the StartSSL root certificate is available in several browsers (see here). Please advise.

Tearoom answered 4/6, 2012 at 9:50 Comment(0)

StartSSL Class 1 certificates are signed by a intermediate CA, which is signed by the StartCom Root CA. For your browser to trust this certificate, it needs to know the trust chain up to the Root CA it already knows.

Your server needs to send the complete trust chain to the browser (minus the Root CA), so your browser can verify that your certificate is trusted.

See the StartSSL FAQ for more info.

Oily answered 4/6, 2012 at 21:5 Comment(2)

I've imported both the StartSSL root and intermediate certificates into the keystore as per these instructions: forum.startcom.org/viewtopic.php?t=1390 – Tearoom 4/6, 2012 at 23:24

I found this bundle particularly useful in creating the chained certificate. – Monadism 3/3, 2015 at 10:44

Found the problem. I've imported the StartSSL certificate incorrectly in our keystore. Also, I've specified "weblogic" as alias in the Weblogic console which is not the certificate but the public/private key pair. I'm using Portecle to edit the keystore.

When I've noticed that I was probably using the wrong alias I've changed it to the alias of the certificate. This resulted in a Weblogic error:

Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: No identity key/certificate entry was found under alias startssl-hostname in keystore keystore_StartSSL on server servername

In the end I've followed these steps to pack the certificate and private key in one PKCS#12 keystore. I've then imported that keystore into our java keystore using Portecle:

Export the "weblogic" public/private key using Portecle as a PKCS#12 keystore.
Extract the private key from this keystore using openssl:

openssl pkcs12 -in weblogic.p12 -nocerts -out privatekey.pem
Package the certificate and private key as a PKCS#12 keystore (cert.p12) using openssl:

openssl pkcs12 -export -in cert.cer -inkey privatekey.pem -out cert.p12 -name cert -CAfile ca.pem -caname root
Import cert.p12 file into our java keystore using Portecle using "cert" as alias.
Changed the Weblogic configuration to use the "cert" alias with the correct passphrase.

And it worked!

PS: I've added the JCE unlimited strength policy along the way since Portecle complained about this at one point.

Tearoom answered 5/6, 2012 at 13:38 Comment(0)

-1

Generally the trust store and keystore would be separate, but it will not cause the error above.

If your browser does not trust the CA then you will receive the above error. You need to add the root CA to your browser. You can check the certs that your browser supports. Eg for IE -> Tools -> Internet Options -> Content -> Certificates -> Trusted Root CA

Assuming you need to import this into one or two browsers, its not a big deal. But if you need to do this across the enterprise (meaning 100 or 1000 of browsers), you will need help from your desktop support team !

Rosas answered 4/6, 2012 at 20:56 Comment(2)

The user should never have to manually add a certificate to the browser. – Spiritualize 27/1, 2016 at 10:39

"never", really ? What about when you use an internal PKI system ? Many companies use an internal PKI system. – Rosas 3/2, 2016 at 20:17

Recommended topics

Hot tags