Skip to Main Content

Enterprise Manager


For appeals, questions and feedback, please email

Replace Demo CA Certs with Third Party

Ray KellySep 29 2023 — edited Sep 29 2023

Using HTTP Server

I configured SSL using JKS keystores and third-party trust. Nodemanager, AdminServer, ohs_server1 all work fine using ssl.

I'm having trouble creating an OHS instance. The message I keep getting is “Failed to export the keystore ohs1_default in stripe OHS. Reason Could not form complete chain..”

I read the following in this doc -

For each demo certificate in the domain that needs to be replaced with a third-party CA signed certificate, do the following:

  1. Generate a CSR using the alias of the certificate that needs to be replaced. Note that the alias must be of type "Certificate", and not "TrustedCertificate".
  2. Submit the new CSR to a third-party Certificate Authority (CA). The CA will sign the public key in the CSR and return a CA signed certificate and its own certificate.
    Some CAs return a certificate chain containing both the CA signed certificate and its own certificate, instead of two separate certificates.
  3. Import the CA signed certificate (or the certificate chain) using the alias of the certificate that is being replaced.
  4. If the CA has provided its own certificate separately, import that CA certificate as a trusted certificate in the trust store used by the product or application. By default, most applications use the domain trust store kss://system/trust for trust.

Do I still need to generate a CSR, even though I already have the server certs, and all the trust certs in the chain?

Where is ohs_createInstance command looking for a complete chain of certs? I created a wallet with everything in it, but I am not sure if it's in the correct location for this command to use.

I validated the chain using ValidateCertChain.

Unfortunately, the oracle documentation is not very helpful.

Any help would be appreciated.

Post Details
Added on Sep 29 2023