All Products
Search
Document Center

Certificate Management Service:Install an SSL certificate on a WebLogic server (Windows)

Last Updated:May 27, 2026

Deploy an SSL certificate on a Windows-based WebLogic Server to enable HTTPS encrypted communication, and verify the deployment.

Requirements

Before you begin, make sure that the following requirements are met:

  • Certificate Status: You have an SSL certificate issued by a trusted certificate authority (CA). If your certificate is expiring or has expired, you must renew it first.

  • Domain Name Matching: Ensure the certificate covers all domain names you want to protect. If you need to add or change a domain name, you can purchase a paid certificate or add and replace domain names.

    • Exact domain name: An exact domain name certificate applies only to the specified domain name.

      • A certificate for example.com applies only to example.com.

      • A certificate for www.example.com applies only to www.example.com.

    • Wildcard domain name: A wildcard domain name certificate applies only to first-level subdomains.

      • A certificate for *.example.com applies to first-level subdomains such as www.example.com and a.example.com.

      • A certificate for *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.

    Note

    To match a multi-level subdomain, the Bound Domains field must include the specific domain name (for example, a.b.example.com) or a corresponding wildcard domain name (for example, *.b.example.com).

  • Server permissions: Log on with the Administrator account or an account with administrative privileges.

  • DNS Resolution: The domain name resolves to the server's public IP address.

  • Environment dependencies: This tutorial uses Windows Server 2022 with WebLogic 14c (14.1.2.0). The WebLogic installation directory is C:\wls141200.

    Note

    Steps may vary by operating system or web server version.

Procedure

Step 1: Prepare the SSL certificate

  1. Go to the SSL Certificate Management page. In the Actions column of the target certificate, click More to open the certificate details page. Go to the Download tab and download the certificate whose Server Type is JKS.

  2. The package contains a certificate file (.jks, includes the full certificate chain) and a password file (jks-password.txt).

    Note

    If you generated the CSR with OpenSSL or Keytool, the private key is stored locally and not included in the downloaded package. If you lose the private key, you cannot use the certificate. You must Purchase Certificate and generate a new CSR and private key.

  3. Upload the JKS certificate file (.jks) and password file (jks-password.txt) to a secure directory outside the WebLogic installation path. This tutorial uses D:\cert.

    Note

    The following steps use an Alibaba Cloud ECS instance. For other server types, follow their respective documentation.

    1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.

    2. On the instance details page, click Remote Connection and select Workbench. Log on to access the server desktop.

    3. Open This PC, Computer, or File Explorer from the Start menu.

    4. Under Redirected drives and folders, double-click workbench on ***. Drag the certificate files from your local machine to this directory, and then right-click the folder and select Refresh.

      image

    5. Copy the files to the D:\cert directory.

      Important

      Workbench automatically clears all files from Redirected drives and folders on reconnect or disconnect to save space. This directory is intended for file transfer only. Do not store files here permanently.

    1. Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.

    2. Go to the details page of the target instance. Click Remote connection and select Workbench. Follow the prompts to log on and access the server desktop.

    3. Under Redirected drives and folders, double-click workbench on *. Drag the certificate files from your local computer to this directory, and then right-click the folder and select Refresh.

      image

    4. Copy the files to the D:\cert directory.

Step 2: Configure the system and network environment

  1. Open port 443 in the security group.

    Important

    If your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service is not accessible from the internet. The following operations use an Alibaba Cloud ECS instance as an example. For other cloud platforms, see their official documentation.

    1. Go to the ECS Instances page, select the region where your target ECS instance is located, and click the instance name to go to the details page.

    2. Click Security Groups > Inbound Rules and make sure a rule exists with Action set to Allow, Protocol Type set to TCP, Port Range set to HTTPS(443), and Authorization Object set to Anywhere (0.0.0.0/0).

    3. If such a rule does not exist, add one to the target security group. For more information, see Add a security group rule.

  2. Open port 443 in the server firewall.

    1. Log on to your Windows server, click the Start menu, and then open Control Panel.

    2. Go to System and Security > Windows Defender Firewall > Check firewall status.

    3. If the firewall is turned off as shown in the following figure, no further action is required.image

    4. If the firewall is turned on, follow these steps to allow HTTPS traffic.

      1. In the left-side navigation pane, click Advanced settings > Inbound Rules and check whether an inbound rule exists for which Protocol is TCP, Local Port is 443, and Action is Block.

      2. If such a rule exists, right-click the rule, select Properties, and on the General tab, change the action to Allow the connection. Then, click Apply.

Step 3: Deploy the certificate on WebLogic Server

  1. Log on to the WebLogic Remote Console at http://localhost:7001/rconsole with your administrator credentials.

    • WebLogic Server 14.1.2.0.0 and later require the WebLogic Remote Console. The legacy console is no longer supported.

    • For versions earlier than 14.1.2.0.0, use the legacy console at http://localhost:7001/console. Configuration steps are similar.

    Note

    Access the WebLogic Remote Console using one of the following methods (Get started with the WebLogic Remote Console).

    1. Hosted deployment on a server: The Go to Console is deployed on the WebLogic Server and accessible from a browser.

      1. Local access: Go to http://localhost:7001/rconsole.

      2. Remote access: To access the console remotely, you must open port 7001 on the WebLogic server.

    2. Standalone installation: Install the WebLogic Remote Console desktop application and create an administrator connection with a username and password, and then access the console through the application.

  2. Go to Environment > Servers > AdminServer. Enable SSL Listen Port Enabled (②), set Port (③) to 443, and click Save (④) to stage the configuration changes.

    Important

    This tutorial uses AdminServer. Select your actual server name in production.

    image

  3. On the Keystores tab, configure the following settings and click Save (⑦) to stage the configuration changes.

    1. Keystores (③): Select Custom identity and Java Standard Trust.

    2. Custom Identity Keystore (④): Full path to the JKS file, for example D:\cert\example.com.jks.

    3. Custom Identity Keystore Type (⑤): Enter jks.

    4. Keystore Passphrase (⑥): Enter the JKS certificate password from jks-password.txt.

    image

  4. On the SSL tab, configure the following settings and click Save (⑤) to stage the configuration changes.

    1. Alias (③): Enter the alias of the JKS certificate.

      Note
      • For a single-domain certificate, the private key alias is the domain name itself. For example, the alias for example.com is example.com.

      • For a wildcard certificate, the private key alias defaults to the root domain. For example, the alias for *.example.com is example.com.

    2. Private Key Passphrase (④): Enter the JKS certificate password from jks-password.txt.

      Note

      This is typically the same as the Keystore Passphrase, which is the password in jks-password.txt.

    image

  5. Click the image icon in the upper-right corner, click Commit to apply all changes, and restart the server.

    image

Step 4: Verify the deployment

  1. Access your domain name over HTTPS. Example: https://example.com. Replace example.com with your actual domain name.

  2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If an access error occurs or the lock icon does not appear, clear your browser's cache or try again in incognito or private mode.

    image

    Starting with Chrome 117, the image icon in the address bar has been replaced by a new image icon. Click this icon to view the security lock information.

Note

If the issue persists, see the FAQ section for troubleshooting.

Deploying to production

When you deploy an application in a production environment, follow these best practices to improve security, stability, and maintainability:

  • Run the application as a non-administrator user:

    Create a dedicated, low-privilege system user for the application. Do not run the application by using an account that has administrative permissions.

    Note

    We recommend that you use a gateway-level SSL configuration. This involves deploying the certificate on a reverse proxy, such as an SLB or Nginx instance. The reverse proxy terminates HTTPS traffic and then forwards the decrypted HTTP traffic to the backend application.

  • Externalize credential management:

    Do not hard-code sensitive information, such as passwords, in your code or configuration files. Use environment variables, a vault, or a Key Management Service provided by your cloud provider to inject credentials.

  • Enforce HTTP-to-HTTPS redirection:

    Make sure that all traffic that accesses your website over HTTP is automatically redirected to HTTPS. This helps prevent man-in-the-middle (MITM) attacks.

  • Configure modern TLS protocols:

    In your server configuration, disable obsolete and insecure protocols, such as SSLv3, TLS 1.0, and TLS 1.1. Enable only TLS 1.2 and TLS 1.3.

  • Monitor certificates and automate renewal:

    After the certificate is deployed, we recommend that you enable domain name monitoring. Alibaba Cloud automatically checks the validity period of the certificate and sends reminders before the certificate expires. This helps you renew the certificate in a timely manner to prevent service interruptions. For more information, see Purchase and enable public domain name monitoring.

FAQ

Certificate not working or HTTPS inaccessible

Common causes include:

Update an SSL certificate in WebLogic

Back up the existing certificate files (.jks and .txt). Log on to the SSL Certificate Management console, download the new certificate files, and upload them to the server to overwrite the existing files, keeping the same path and file names. Restart the WebLogic service to apply the new certificate.

Commit errors in the WebLogic console

Check the following configurations:

  1. JKS Path:

    Verify the JKS Path is an absolute path on the server and the WebLogic process has read permissions for the file.

  2. Password:

    Ensure all passwords match jks-password.txt exactly, with no extra spaces or line breaks.