Saturday, June 30, 2018

Wildcard SSL Certificates (CN/SAN)

We had a need to enable SSL on all our non-production PeopleSoft environments. So decided to implement or create one SSL certificate which would be applicable for all the environments. 

Following are the details of this exercise.
I am running PT 8.56.xx on HCM 9.2 and Weblogic 12c on a Windows 2016 VM but this should work for any release. 

So in my case I have two webservers (web1.mycompany.com and web2.mycompany.com) in my non-production PeopleSoft landscape and I wish to use the same certificate on both the webservers. 

PeopleSoft delivers a wrapper called as pskeymanager.cmd (or .sh) which essentially runs the keytool java command to create a java keystore. 

When you use the wrapper to generate a new store or to generate a new certificate request it prompts for the CN (common name) value which generally is the VM name - so in my case it would be web1.mycompany.com or web2.mycompany.com. So if I generate it as web1.comycompany.com then I won't be able to use this certificate on web2 and vice-versa. So the plan is to provide the value for CN as *.mycompany.com, which is essentially a wildcard value. So any webserver in mycompany.com would be able to use this SSL certificate.

When we do this there is another attribute called as SAN (Subject Alternate Name) that needs to be populated. In my experience I noticed that a browser like Chrome uses this to verify the validity of the certificate but a browser like IE doesn't use it.

The vanilla pskeymanager.cmd doesn't use the san attribute so we have to customize this script as follows.

Search for string :gencsr and then a few lines below this would be the keytool command to generate a CSR (Certificate Signing Request). Towards the end of that command add 

-ext san=dns:web1.mycompany.com,dns:web2.mycompany.com

or

-ext san=dns:*.mycompany.com

Now use the pskeymanager.cmd command to create a new keystore and generate the CSR. Then provide the CSR to your CA (Certificate Authority) for signing and once your receive the response certificate verify that the SAN value is populated.

Load this to weblogic and test. Now you can use the same SSL certificate on all the webservers in the mycompany.com domain.