Tuesday, 7 March 2017

How to request for CSR request and renew the SSL keys


Few days back I started getting notification that the application certificate is soon going to expired. It's a discoverer 11g application, so we created PKCS12 compliant wallet that can be used with the C based system components for example, Oracle HTTP Server, Oracle Web Cache, Oracle Internet Directory, and OPMN


To create a wallet


To create the wallet based PKCS12 compliant  keys I used a tool Oracle Wallet Manager GUI (OWM)

You can use any wallet manager GUI that comes with oracle 11g client installation under Integration management tool or you may also find this tool in Unix oracle home software directory

cd $ORACLE_HOME/bin
PATH=$PATH:/usr/X11/bin:/usr/openwin/bin
export DISPLAY=<hostname:portno>

./owm

Select Wallet --> New



It will prompt for password.


Specify the password here and save it for future purpose,  as this password you will need for every wallet based operation like Open wallet,  Import Certificates, Export Certificates etc.





 
 
Here you need to fill the corresponding details and is important to select key size - 2048 or higher.  NOTE - common name need to be Server or DNS name like xyz.com


once all the details are entered save it.


After certificate request is created, export it and submit it to certificate authority.


Here we need to wait for receiving SSL certificate from certificate authority.  The file we receive shall have name <xyz>.com.crt with certificate extension


now import this certificate into wallet we created before.


You can also specify the "Auto-Login" option via a checkbox in OWM


  
When creating a Wallet, a file called "ewallet.p12" is generated. further, specifying Auto-Login, an additional file called "cwallet.sso" is also generated.

To import these keys in discoverer




1) login to discoverer application
2) Shutdown the opmn services

3)  Go to $ORACLE_INSTANCE/config/OHS/ohs1

grep –i SSLWallet ssl.conf




4) Go to $ORACLE_INSTANCE/config/OHS/ohs1/keystores/default

Place both the keys here 1) ewallet.p12   2) cwallet.sso

5) now restart the opmnctl services

opmnctl startall


6) now access the discoverer application and you will find the certificate key information in lock box




To verify that your website is secure and/or when the SSL certificate expires there are a few methods of testing this.

You can view the site information from your browser to view basic information about the SSL certificate. Including if the connection is secure and when the certificate will expire.

Firefox
In the address bar click on the lock icon to the left of 'https://'
This will show if the connection is encrypted
Click on 'More information'
Click 'View Certificate'
This will show the expiry date
Opera
In the address bar click on the lock icon to the left of 'https://'
This will show if the connection is encrypted
Click on 'Details'
Click on the linked domain name
This will show the expiry date
Chrome
In the address bar click on the lock icon to the left of 'https://'
Click on the 'Connection'
This will show if the connection is encrypted
Click on 'Certificate information'
This will show the expiry date
IE
In the address bar click on the lock icon on the right hand side
This will show if the connection is encrypted
Click 'View Certificates'
This will show the expiry date
Safari
In the address bar click on the lock icon on the right hand side
If you can see certificate information this will indicate that the connection is encrypted
You will also be able to see the expiry date
If you see an exclamation mark or another icon in place of the lock icon, then that could either indicate that SSL is not working or that the website is displaying a mix of secure and non-secure content?

1 comment: