Deploy an SSL certificate on a Windows-based WebLogic Server to enable HTTPS encrypted communication, and verify the deployment.
Requirements
Before you begin, make sure that the following requirements are met:
Certificate Status: You have an SSL certificate issued by a trusted certificate authority (CA). If your certificate is expiring or has expired, you must renew it first.
Domain Name Matching: Ensure the certificate covers all domain names you want to protect. If you need to add or change a domain name, you can purchase a paid certificate or add and replace domain names.
Exact domain name: An exact domain name certificate applies only to the specified domain name.
A certificate for
example.comapplies only toexample.com.A certificate for
www.example.comapplies only towww.example.com.
Wildcard domain name: A wildcard domain name certificate applies only to first-level subdomains.
A certificate for
*.example.comapplies to first-level subdomains such aswww.example.comanda.example.com.A certificate for
*.example.comdoes not apply to the root domainexample.comor multi-level subdomains such asa.b.example.com.
NoteTo match a multi-level subdomain, the Bound Domains field must include the specific domain name (for example,
a.b.example.com) or a corresponding wildcard domain name (for example,*.b.example.com).-
Server permissions: Log on with the
Administratoraccount or an account with administrative privileges. DNS Resolution: The domain name resolves to the server's public IP address.
-
Environment dependencies: This tutorial uses Windows Server 2022 with WebLogic 14c (14.1.2.0). The WebLogic installation directory is
C:\wls141200.NoteSteps may vary by operating system or web server version.
Procedure
Step 1: Prepare the SSL certificate
-
Go to the SSL Certificate Management page. In the Actions column of the target certificate, click More to open the certificate details page. Go to the Download tab and download the certificate whose Server Type is JKS.
-
The package contains a certificate file (
.jks, includes the full certificate chain) and a password file (jks-password.txt).NoteIf you generated the CSR with OpenSSL or Keytool, the private key is stored locally and not included in the downloaded package. If you lose the private key, you cannot use the certificate. You must Purchase Certificate and generate a new CSR and private key.
-
Upload the JKS certificate file (.jks) and password file (jks-password.txt) to a secure directory outside the WebLogic installation path. This tutorial uses D:\cert.
NoteThe following steps use an Alibaba Cloud ECS instance. For other server types, follow their respective documentation.
-
Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.
-
On the instance details page, click Remote Connection and select Workbench. Log on to access the server desktop.
-
Open This PC, Computer, or File Explorer from the Start menu.
-
Under Redirected drives and folders, double-click workbench on ***. Drag the certificate files from your local machine to this directory, and then right-click the folder and select Refresh.

-
Copy the files to the
D:\certdirectory.ImportantWorkbench automatically clears all files from Redirected drives and folders on reconnect or disconnect to save space. This directory is intended for file transfer only. Do not store files here permanently.
-
Go to ECS console - Instances. In the top-left corner, select the region and resource group for the target resource.
-
Go to the details page of the target instance. Click Remote connection and select Workbench. Follow the prompts to log on and access the server desktop.
-
Under Redirected drives and folders, double-click workbench on *. Drag the certificate files from your local computer to this directory, and then right-click the folder and select Refresh.

-
Copy the files to the
D:\certdirectory.
-
Step 2: Configure the system and network environment
-
Open port 443 in the security group.
ImportantIf your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service is not accessible from the internet. The following operations use an Alibaba Cloud ECS instance as an example. For other cloud platforms, see their official documentation.
Go to the ECS Instances page, select the region where your target ECS instance is located, and click the instance name to go to the details page.
Click and make sure a rule exists with Action set to Allow, Protocol Type set to TCP, Port Range set to HTTPS(443), and Authorization Object set to Anywhere (0.0.0.0/0).
If such a rule does not exist, add one to the target security group. For more information, see Add a security group rule.
-
Open port 443 in the server firewall.
Log on to your Windows server, click the Start menu, and then open Control Panel.
Go to .
If the firewall is turned off as shown in the following figure, no further action is required.

If the firewall is turned on, follow these steps to allow HTTPS traffic.
In the left-side navigation pane, click and check whether an inbound rule exists for which Protocol is TCP, Local Port is 443, and Action is Block.
If such a rule exists, right-click the rule, select Properties, and on the General tab, change the action to Allow the connection. Then, click Apply.
Step 3: Deploy the certificate on WebLogic Server
-
Log on to the WebLogic Remote Console at
http://localhost:7001/rconsolewith your administrator credentials.-
WebLogic Server 14.1.2.0.0 and later require the WebLogic Remote Console. The legacy console is no longer supported.
-
For versions earlier than 14.1.2.0.0, use the legacy console at
http://localhost:7001/console. Configuration steps are similar.
NoteAccess the WebLogic Remote Console using one of the following methods (Get started with the WebLogic Remote Console).
-
Hosted deployment on a server: The Go to Console is deployed on the WebLogic Server and accessible from a browser.
-
Local access: Go to
http://localhost:7001/rconsole. -
Remote access: To access the console remotely, you must open port
7001on the WebLogic server.
-
-
Standalone installation: Install the WebLogic Remote Console desktop application and create an administrator connection with a username and password, and then access the console through the application.
-
-
Go to Environment > Servers > AdminServer. Enable SSL Listen Port Enabled (②), set Port (③) to
443, and click Save (④) to stage the configuration changes.ImportantThis tutorial uses AdminServer. Select your actual server name in production.

-
On the Keystores tab, configure the following settings and click Save (⑦) to stage the configuration changes.
-
Keystores (③): Select Custom identity and Java Standard Trust.
-
Custom Identity Keystore (④): Full path to the JKS file, for example
D:\cert\example.com.jks. -
Custom Identity Keystore Type (⑤): Enter
jks. -
Keystore Passphrase (⑥): Enter the JKS certificate password from
jks-password.txt.

-
-
On the SSL tab, configure the following settings and click Save (⑤) to stage the configuration changes.
-
Alias (③): Enter the alias of the JKS certificate.
Note-
For a single-domain certificate, the private key alias is the domain name itself. For example, the alias for
example.comisexample.com. -
For a wildcard certificate, the private key alias defaults to the root domain. For example, the alias for
*.example.comisexample.com.
-
-
Private Key Passphrase (④): Enter the JKS certificate password from
jks-password.txt.NoteThis is typically the same as the Keystore Passphrase, which is the password in
jks-password.txt.

-
-
Click the
icon in the upper-right corner, click Commit to apply all changes, and restart the server.
Step 4: Verify the deployment
Access your domain name over HTTPS. Example:
https://example.com. Replaceexample.comwith your actual domain name.If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If an access error occurs or the lock icon does not appear, clear your browser's cache or try again in incognito or private mode.

Starting with Chrome 117, the
icon in the address bar has been replaced by a new
icon. Click this icon to view the security lock information.
If the issue persists, see the FAQ section for troubleshooting.
Deploying to production
When you deploy an application in a production environment, follow these best practices to improve security, stability, and maintainability:
Run the application as a non-administrator user:
Create a dedicated, low-privilege system user for the application. Do not run the application by using an account that has administrative permissions.
NoteWe recommend that you use a gateway-level SSL configuration. This involves deploying the certificate on a reverse proxy, such as an SLB or Nginx instance. The reverse proxy terminates HTTPS traffic and then forwards the decrypted HTTP traffic to the backend application.
Externalize credential management:
Do not hard-code sensitive information, such as passwords, in your code or configuration files. Use environment variables, a vault, or a Key Management Service provided by your cloud provider to inject credentials.
Enforce HTTP-to-HTTPS redirection:
Make sure that all traffic that accesses your website over HTTP is automatically redirected to HTTPS. This helps prevent man-in-the-middle (MITM) attacks.
Configure modern TLS protocols:
In your server configuration, disable obsolete and insecure protocols, such as SSLv3, TLS 1.0, and TLS 1.1. Enable only TLS 1.2 and TLS 1.3.
Monitor certificates and automate renewal:
After the certificate is deployed, we recommend that you enable domain name monitoring. Alibaba Cloud automatically checks the validity period of the certificate and sends reminders before the certificate expires. This helps you renew the certificate in a timely manner to prevent service interruptions. For more information, see Purchase and enable public domain name monitoring.
FAQ
Certificate not working or HTTPS inaccessible
Common causes include:
-
Port 443 is not open in the server security group or firewall. Configure the system and network environment.
-
The certificate's Bound Domains does not include the domain name you are accessing. Check Domain Name Matching.
-
WebLogic configuration changes have not been committed. Submit changes to automatically apply all configurations.
-
The certificate file was not replaced correctly, or WebLogic points to the wrong path. Verify the configuration and certificate file are current and valid.
The domain name is integrated with cloud services such as CDN, SLB, or WAF, but the certificate is not installed on the corresponding service. For more information, see Certificate deployment location when traffic passes through multiple cloud services.
The domain name resolves to multiple servers, but the certificate is installed on only some of them. You must install the certificate on each server.
For further troubleshooting, see Troubleshoot certificate deployment issues based on browser errors and SSL certificate deployment troubleshooting guide.
Update an SSL certificate in WebLogic
Back up the existing certificate files (.jks and .txt). Log on to the SSL Certificate Management console, download the new certificate files, and upload them to the server to overwrite the existing files, keeping the same path and file names. Restart the WebLogic service to apply the new certificate.
Commit errors in the WebLogic console
Check the following configurations:
-
JKS Path:
Verify the JKS Path is an absolute path on the server and the WebLogic process has read permissions for the file.
-
Password:
Ensure all passwords match
jks-password.txtexactly, with no extra spaces or line breaks.