3

So I have got a weblogic based system which uses 2048-bit key based certificate from Globalsign. The certificate is close to expiring so I got a new certificate from the same vendor (all text which is what I can encode into CER format).

Problem is that this time they have not given me any private passphrase. I took it up with their customer support and they are saying that their process changed and I should be able to get it generated from their certificate and CSR I sent them.

I do not know how to. They calmly referred me to customer support of the weblogic vendor (i.e. Oracle) and bailed out. Past interaction with Oracle customer support have created more problems that it solved.

Any help would be appreciated. Also I tried these links, did not help:

PKI Certificate Authority private a keys and certificates

Get RSA private key and certificate from GlobalSign certificate

Improve this question

2 Answers 2

Reset to default
2

First, certificates consist entirely of public information and do not have passphrases. It's "private keys" which may have one.

Second, the CA does not have your private key nor its passphrase – both were generated on your system, because they were used to make the CSR that you submitted. So if you used WebLogic to generate the CSR, that likely means it already has the private key stored and is just waiting for the certificate to be imported alongside it (at least that's how it works in most other programs).

If you used Java keytool to generate the CSR, then the private key is stored in the Java keystore file (if you did not specify a custom path, it'll be at ~/.keystore). To extract keys from Java keystore into a PEM format:

  1. Use keytool -list to make sure it shows your key and to check the keystore format. If it's PKCS12, skip to step 3.

  2. If you have a JKS format keystore, convert it to PKCS12 format using:

    keytool -importkeystore -srckeystore <old_path> -destkeystore <new_path> -deststoretype PKCS12

  3. Once you have a PKCS12 keystore, use openssl to export its contents to PEM format files:

    openssl pkcs12 -in <old_path> -out <new_path> -nodes

The Certificate Signing Request is very similar to a self-signed cert; it acts as proof that you have the key, but the key itself never leaves your system. The CA just transforms your provided CSR into a real certificate and returns it. At all stages, the certificate or CSR consists entirely of public information and is never passphrase-protected.

As far as I know, WebPKI CAs (such as GlobalSign) are actually forbidden by CA/B Forum rules from generating private keys for a customer and are required to revoke certificates if the private key is "leaked".

Improve this answer
6
  • I see. Thank you for the information. I used java keytool to generate the CSR. Private key is what I want, passphrase is wrong term that got stuck to my head because I did a bunch of stuff with java keystore couple of days back to see if I can manipulate the keytool to generate the key. Bottom line is, I have a CSR and a certificate. How do I generate a private key out of this (using openssl or keytool)?
    – Sid
    Commented Jun 18, 2019 at 18:18
  • You don't generate a private key out of a certificate; you use the previously generated one already in the Java keystore that you specified while making the CSR. Usually just importing the cert into the same keystore is all that's needed to link the two. (Is the keystore in JKS or PKCS12 format?)
    – grawity_u1686
    Commented Jun 18, 2019 at 19:08
  • Thanks again. But one of the weblogic configuration requires me to type the private key into a configuration screen. I need that in plain text. To be more specific, I will need to export it out. I was not aware of Globalsign's no-private-key policy when I generated CSR, otherwise I would have generated the key (my primary area of expertise is in BI and middleware, I am not a security professional, please pardon my stupid questions).
    – Sid
    Commented Jun 18, 2019 at 19:18
  • It's not a matter of policy. It's how CSRs always work. It doesn't matter if you use keytool or openssl or certutil or what, it always works the same way: the key is generated on your computer, stored on your computer, and used to make the CSR. The only difference is what file format the key gets stored in. (So the question is, what format does WebLogic need – traditional PEM, I'm guessing?)
    – grawity_u1686
    Commented Jun 18, 2019 at 19:21
  • Here is a small screenshot of weblogic configuration that requires server's private key: [link]pasteboard.co/Ik1ZCJ1.png[\link] Weblogic requires java key store (JKS files). Even if I export server private key via java keytool, I do not know if the text within server private key is the actual text I need to use in the configuration.
    – Sid
    Commented Jun 18, 2019 at 20:13
1

Thanks for all your help. I was getting confused unnecessarily. The SSL vendor provided Java PKCS file with a password. I got confused between password, passphrase and keystore passphrase. This time we got CSR only, so that was the confusion.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .