3 Replies Latest reply on Sep 3, 2014 3:09 PM by Ankit Kumar

    Sign domain.p12 on Admin Node Manager with Customer CA/subCA

    WLS_usr

      Hi,

           We are running OAG 11.1.2.2 on Oralce Enterprise Linux and want to sign (using managedomain [option # 24] utility) domain.p12 with our CA/subCA in PKCS12 format. I am currently running into challenges and unable to do it. I was wondering if any of you might have done this and appreciate if you can give steps (specially around how you have created pkcs12 format file that can be used to sign domain.p12)?

       

      Regards,

      WLS_usr

        • 1. Re: Sign domain.p12 on Admin Node Manager with Customer CA/subCA
          Ankit Kumar

          From option 24:

           

          Select option for certificate management for internal SSL communications:

              1) Use system generated CA key and certificate to sign all SSL certificates

              2) Use user provided CA key and certificate to sign all SSL certificates

              3) All SSL certificates must be signed by an external CA

           

          Select 3, this will generate CSR (certificate signing requests) for all certs used by the gateway - nodemanager and server instances. Once the CSRs have been generated, you can submit them to your CA for signing.

          After you receive the signed certificates from CA you can import them back in gateway using option 26 of managedomain utility.

           

          -Ankit

          • 2. Re: Sign domain.p12 on Admin Node Manager with Customer CA/subCA
            WLS_usr

            Thanks Ankit for the reply. Just to reiterate, we are using OAG 11.1.2.2 and managedomain utility in this version doesn't have option 26. I was also reading the OAG document, it says that "domain certificate cannot be replaced with customer certificate (which probably means server certificate), but it can be signed with CA/SubCA certificate". However, PKCS12 (which is requirement for OAG) store needs server certificate, otherwise it won't take CA certificate in. We are in sort of unique scenario where OAG only needs PKCS12 with CA but PKCS12 needs server certificate (to add CA cert in its store).

             

            Regards,

            • 3. Re: Sign domain.p12 on Admin Node Manager with Customer CA/subCA
              Ankit Kumar

              I am not sure about "PKCS12 needs server certificate (to add CA cert in its store)". PCKS12 is just a certificate export format, this format has both the public and private key in the same file. For 11.2.2.2 can you try the following steps:


              1. Generate the CSR for domain certificate.
              2. Submit the CSR to your CA for signing.
              3. Export the private key of domain certificate.
              4. Once you have the signed cert from CA, import public key via Policy Studio. Import the exported private key as well here.
              5. Export "Certificate + Key" from Policy Sudio. This will generate a file in PKCS12 format.
              6. Import the signed PKCS12 file back as domain certificate.

               

              I do not have 11.1.2.2 version installed so I cannot try these but please let me know if you encounter any issues.

               

              -Thanks,

              Ankit Kumar