Import Certificate in Oracle OPSS Keystore Service(KSS)

OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. The OPSS Keystore Service makes using certificates and keys easier by providing central management and storage of keys and certificates for all servers in a domain. You use the OPSS Keystore Service to create and maintain keystores of type KSS.

In SOA 12c, OPSS is configured to use the database instead of the file system by default.
Now every time an Expanded, Compact or Integrated Domain is created, the following settings will be seen in the Keystore tab.

The above KSS (Key Store Service) nomenclature indicates that the Keystore is being handled within OPSS rather than the standard Java Keytool. So in order to import a certificate, you have to:

1. Download the certificate which has the entire chain.

2. Log in to Fusion Middleware Control (EM).

3. From the navigation pane, locate the domain i.e "SOA Domain"

4. Navigate to Security, then Keystore. The Keystore page appears.

5. Expand the stripe in which the Keystore resides and  Select the row corresponding to the Keystore. For this case system -> trust
We will use Trustore to place the certificate to call the external SSL partner link.

6. click Manage.

7. If the Keystore is password-protected, you are prompted for a password. Enter the Keystore password and click OK.

8. The Manage Certificates page appears. Click Import.

9. The Import Certificate dialog appears.

10. Select the certificate type, either Certificate or Trusted Certificate, from the drop-down. For this case use "Trusted Certificate"

11. Provide an alias i.e "testTrust"

12. Specify the certificate source. If using the Paste option, copy and paste the certificate directly into the text box. If using the Select a file option, click Browse to select the file from the operating system.

13. Click OK. The imported certificate or trusted certificate appears in the list of certificates.

14. Click OK.

15. Bounce the managed server.

16. Repeat steps 2 - 5 and verify the certificate appears in the list of certificates.


If the application WSDL is certificate authority (CA)-certified, you must update FMW_HOME/user_projects/domains/WLS_SOA/bin/ as follows:


1) Open FMW_HOME/user_projects/domains/WLS_SOA/bin/






Note: In case problem persist, make sure you have removed the DemoTrust.jks. This can be done by modifying the script, removing the following:${WL_HOME}/server/lib/DemoTrust.jks

If you like please follow and comment