Technical data
SSL Certificate Validation
Administration Guide 14-73
SSL Certificate Validation
In previous releases, WebLogic Server did not ensure each certificate in a certificate
chain was issued by a certificate authority. This problem meant anyone could get a
personal certificate from a trusted CA, use that certificate to issue other certificates and
WebLogic Server would not detect the invalid certificates. A patch
(
CR090101_610sp4) was made so that all X509 V3 CA certificates used with
WebLogic Server must have the Basic Constraint extension defined as CA thus
ensuring all certificates in a certificate chain were issued by a certificate authority. By
default, any CA certificates not meeting this criteria are rejected. This section provides
installation instructions for the patch and describes the command-line argument that
controls the level of certificate validation.
Installation Instructions
To install patch CR090101_610sp4:
1. Backup the current WebLogic Server installation. If any of the following files were
changed, the changes will be lost when the patch is installed onto the current
WebLogic Server installation:
%WL_HOME%\common\nodemanager\config\democert.pem
%WL_HOME%\common\nodemanager\config\demokey.pem
%WL_HOME%\samples\server\config\examples\demo.crt
%WL_HOME%\samples\server\config\examples\democert.pem
%WL_HOME%\samples\server\config\examples\demokey.pem
%WL_HOME%\samples\server\examples\trusted.crt
%WL_HOME%\samples\server\config\petstore\demo.crt
%WL_HOME%\samples\server\config\petstore\democert.pem
%WL_HOME%\samples\server\config\petstore\demokey.pem
%WL_HOME%\samples\server\config\petstore\trusted.crt