Oracle Communities

Oracle Analytics and AI

Child Item

Updating SSL certificates in Java Keystores

Hello,

It is that time of year for us to renew our expiring SSL certificates used in Weblogic for our Oracle Analytics Server environment.

We have 2 keystores (identity and trust) plus 2 other keystores where certs are added. Each keystore hosts a full chain of certs: base, root, interm1, and interm2.

What approach do people typically use to update the certs? Do you simply remove and replace the aliases? Or do you create new csr's entirely for your keystores and import certs that way? Or, something else?

Regards,

Chad

Find more posts tagged with

Weblogic

SSL

Oracle Analytics Server

Accepted answers

Gianni Ceresa

Yes, to be "offline" and not mess around with the live system.

Cleaning up the aliases I wouldn't bother much to be fair… If you don't need to renew your certificates every few months, you just get a new alias every year, or maybe every 2 years. The keystore will not really notice a difference if it contains 1 alias or 10.

That's why I don't think you should try to over optimise the process. It depends also on the other people around you: I had a number of times when I received wrong certificates from the people supposed to sign my CSR. Or also depending on the formats I receive (sometimes they want my CSR, other times they generate a CSR and it is up to me to import everything in my keystores), making it annoying to import, because requiring to be converted, or Windows vs Linux.

That's why I'm not very affirmative in the method I use, because it depends often on the security team and their expectations for the signing part.

You anyway know exactly how to configure SSL because you did it before already, therefore you can usually correct any potential issue. That's the most important part: be sure you know how to reconfigure everything in case something goes extremely wrong :D

All comments

Gianni Ceresa

Hi,

I usually take the lazy approach of minimum amount of changes. Replacing certificates by keeping the alias, so I don't need to change anything in the OAS config itself.

Overall, as you already know how you configured SSL, you can also add your new certificates with a new alias, in that way you can first work freely on your certificates, and when your keystore are ready, you can go back in the various config to point to the new alias.

It isn't much different at the end of the day.

Chad Williams

Okay, it sounds like you are making copies of your keystores before import new certs with new aliases?

Then you just swap in the new updated keystores and clean up the aliases when you are ready?

To this point, I usually just end up starting over with brand new keystores + csr's then swap them in when I'm ready. Seems to be less fuss that way.

Gianni Ceresa

Yes, to be "offline" and not mess around with the live system.

That's why I'm not very affirmative in the method I use, because it depends often on the security team and their expectations for the signing part.

Chad Williams

Yea, I tried "cleaning up" the aliases just now, and when I get to the end, I attempt to validate the certificate chain and it says no certificates found - which is pretty annoying. I'll try it with just leaving new aliases with the old ones and see how that goes.

Possibly a move to OAC in the future so hopefully this isn't forever, but SSL certs now expire every 199 days instead of 365.