In this step-by-step guide, you will learn how to install an SSL certificate on Oracle servers and applications. The instructions cover the three most common Oracle platforms, plus SSL buying recommendations at the end.
- Oracle Wallet Manager
- Oracle iPlanet Web Server
- Oracle WebLogic Server
Generate a CSR code on Oracle Servers
Every SSL certificate starts with a CSR (Certificate Signing Request) and its matching private key. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on Oracle Servers.
Open your .csr file with any text editor (for example, Notepad) and copy its entire contents (including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines) when ordering your SSL certificate. After the Certificate Authority validates your request and issues the certificate, continue with the installation steps for your platform below.
Install an SSL certificate on Oracle Wallet Manager
Step 1: Prepare your files
Download and extract the certificate files from the ZIP archive your Certificate Authority sent you. You should have these files (typically with a .crt extension):
- Root CA certificate
- Intermediate certificate
- Your primary (domain) certificate
Step 2: Import your certificates
Import the certificates in order (root first, then intermediate, then your primary certificate) so Wallet Manager can build the trust chain correctly:
- Open Oracle Wallet Manager, click Wallet, then Open, and select your wallet.
- Choose Operations > Import Trusted Certificate.
- Import your Root CA certificate from the folder where it resides, then click OK.
- Repeat for your Intermediate certificate: go to Operations > Import Trusted Certificate, upload the file, and click OK.
- Finally, go to Operations > Import User Certificate and import your primary SSL certificate. Click OK.
Note: the root and intermediate certificates are trusted certificates, but your primary certificate is a user certificate: it is paired with the private key already stored in the wallet, so import it through Import User Certificate. Once imported, the certificate node in the navigation menu changes from Certificate: [Requested] to Certificate: [Ready]. Save the wallet, and enable Auto Login if your service needs to open the wallet without a password.
Congratulations. You have successfully installed an SSL certificate on Oracle Wallet Manager. Test your installation for potential errors and vulnerabilities.
Install an SSL certificate on Oracle iPlanet Web Server
Once the Certificate Authority emails you the certificate files, you can install the certificate on Oracle iPlanet (formerly Sun Java System Web Server):
- In the Oracle iPlanet admin console, open the Server Certificates tab, then click Install.
- From the Configuration list, select the configuration you want to install the certificate for.
- Select the Token (Cryptographic Device) that holds the keys. If the key is stored on the server, choose Internal; otherwise choose your external token from the drop-down. Enter the password for the selected token.
- Paste your SSL certificate into the corresponding box. Copy the entire certificate, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines. Alternatively, click Browse and import the certificate file directly.
- Enter a nickname for the certificate: your website name, or any label you prefer.
- From the list of available listeners, select the HTTP Listener that should handle secure requests, and finish the wizard.
Note: if iPlanet does not already trust your CA, install the root and intermediate certificates under Certificate Authorities before (or right after) installing the server certificate, so the full chain is served to clients.
Congratulations. You have successfully added an SSL certificate to your Oracle iPlanet Web Server.
Install an SSL certificate on Oracle WebLogic Server
Oracle WebLogic Server uses Java keystores. You will work with two of them: a trust keystore that holds the CA certificates (root and intermediate), and an identity keystore that holds your private key together with the signed server certificate. The private key already lives in the keystore you created when you generated the CSR, so the signed certificate must be imported back into that same keystore, under that same alias.
Step 1: Import the CA certificates into the trust keystore
Import the root and then the intermediate certificate as trusted entries. The -trustcacerts flag tells keytool these are CA certificates:
keytool -import -trustcacerts -alias rootca \
-file RootCA.crt -keystore trust.jks
keytool -import -trustcacerts -alias intermediateca \
-file IntermediateCA.crt -keystore trust.jks
Replace trust.jks with your trust keystore file (or use the same keystore as your identity store if you prefer a single file). keytool will prompt for the keystore password.
Step 2: Import the signed certificate into the identity keystore
Import your issued server certificate back into the keystore that holds the private key, using the same alias you chose when you generated the CSR. This step completes the key entry; it does not create a new one:
keytool -import -trustcacerts -alias your_alias \
-file yourdomain.crt -keystore identity.jks
Important: the alias your_alias must match the private-key alias already in identity.jks; otherwise keytool imports the file as a standalone trusted certificate and your server will have no usable key pair. For keytool to assemble the chain, the root and intermediate from Step 1 must be reachable (in this keystore or in the JDK’s default trust store, cacerts). If you prefer to import the whole chain in one file, the certificates must be ordered your certificate first, then intermediate, then root.
You should see Certificate reply was installed in keystore. Verify the entry now contains a full chain:
keytool -list -v -alias your_alias -keystore identity.jks
The entry type should read PrivateKeyEntry with a certificate chain length of 3 (server, intermediate, root).
Step 3: Configure WebLogic to use the keystores
- Log in to the WebLogic admin console. Under Domain Structure, expand Environment, then Servers.
- In Change Center, click Lock & Edit.
- Select the server you want to configure, open the Configuration tab, then the Keystores sub-tab.
- For Keystores, choose Custom Identity and Custom Trust.
- Enter the fully qualified path to your identity keystore and trust keystore, set the type to JKS, and enter each keystore passphrase. Click Save.
- Open the SSL tab. Under Configuration, set the Private Key Alias and Private Key Passphrase to the alias and password from your identity keystore. Click Save.
- On the General tab, tick SSL Listen Port Enabled and set the port (default 7002). Click Save.
- In Change Center, click Activate Changes, then restart the server.
Congratulations. You have successfully installed an SSL certificate on Oracle WebLogic Server.
Test your SSL installation
After installing the certificate on your Oracle server or application, it is essential to check the configuration for errors or vulnerabilities. Our SSL checker give you instant scans and reports on your certificate, including chain order, expiry, and protocol support.
You can also confirm the certificate WebLogic (or any HTTPS listener) is serving from the command line. Replace the host and port with yours:
echo | openssl s_client -connect yourdomain.com:7002 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
This prints the issuer and validity dates of the live certificate, which is the quickest way to confirm the right certificate and chain are in place.
Where to buy the best SSL certificate for Oracle Servers?
SSL Dragon is your source for all your SSL needs. We offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are compatible with Oracle servers.
To help you choose, we built a couple of handy tools. Our SSL Wizard recommends the best certificate for your project.
Frequently Asked Questions
It depends on the product. Oracle Wallet Manager and Oracle iPlanet accept the .crt/.cer (PEM or DER) files your CA provides. Oracle WebLogic uses a Java keystore (JKS or PKCS12): you import the CA certificates and the signed server certificate into the keystore with keytool.
Always import from the top of the chain down: root first, then the intermediate, then your domain certificate. This lets the wallet or keystore link each certificate to its issuer. In WebLogic, the root and intermediate go into the trust keystore and the signed server certificate goes into the identity keystore under the private-key alias.
The private key was created under a specific alias when you generated the CSR. Importing the signed certificate into that same alias completes the key pair (a PrivateKeyEntry with a full chain). If you import it under a new alias, keytool stores it as a standalone trusted certificate with no private key, and SSL will not start.
For a keystore, run keytool -list -v -alias your_alias -keystore identity.jks and confirm the entry is a PrivateKeyEntry with a chain length of 3. For a live listener, connect with OpenSSL (openssl s_client -connect yourdomain.com:7002) or use our SSL tools to verify the chain, expiry, and protocols from the outside.
Yes. The Wallet Manager, iPlanet, and WebLogic workflows above are stable across the supported Oracle releases. On WebLogic, both JKS and PKCS12 keystores are supported; PKCS12 is the more modern, portable format if you are choosing fresh.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


