Using HTTP Server 12.2.1.4.
I configured SSL using JKS keystores and third-party trust. Nodemanager, AdminServer, ohs_server1 all work fine using ssl.
I'm having trouble creating an OHS instance. The message I keep getting is “Failed to export the keystore ohs1_default in stripe OHS. Reason java.io.IOException: Could not form complete chain..”
I read the following in this doc - https://docs.oracle.com/middleware/12213/opss/JISEC/kssadm.htm#JISEC10628:
For each demo certificate in the domain that needs to be replaced with a third-party CA signed certificate, do the following:
- Generate a CSR using the alias of the certificate that needs to be replaced. Note that the alias must be of type "Certificate", and not "TrustedCertificate".
- Submit the new CSR to a third-party Certificate Authority (CA). The CA will sign the public key in the CSR and return a CA signed certificate and its own certificate.
Some CAs return a certificate chain containing both the CA signed certificate and its own certificate, instead of two separate certificates.
- Import the CA signed certificate (or the certificate chain) using the alias of the certificate that is being replaced.
- If the CA has provided its own certificate separately, import that CA certificate as a trusted certificate in the trust store used by the product or application. By default, most applications use the domain trust store
kss://system/trust for trust.
Do I still need to generate a CSR, even though I already have the server certs, and all the trust certs in the chain?
Where is ohs_createInstance command looking for a complete chain of certs? I created a wallet with everything in it, but I am not sure if it's in the correct location for this command to use.
I validated the chain using ValidateCertChain.
Unfortunately, the oracle documentation is not very helpful.
Any help would be appreciated.