Setting Up Oracle Wallet Using OpenSSL
To set up Oracle Wallet using OpenSSL, use the following command:
openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:password
This table lists the command options:
Field or Control |
Definition |
---|---|
-export |
Indicates that a PKCS 12 file is being created. |
-chain |
Specifies that an attempt is made to include the entire certificate chain of the user certificate. |
-inkey |
Specifies the private key file. |
-in |
Specifies the file that contains the user certificate and any other certificates in the certificate chain. Note: If the private key and the certificate chain are in the same file, the -inkey and -in parameters can specify the same file. |
-CAfile |
Specifies a file containing trusted certificates. |
-out |
Specifies the output file name, which must be ewallet.p12 for an Oracle Wallet. |
-passin |
Specifies the password for the private key file. |
-passout |
Specifies the password for the newly created wallet. |
To create a self-signed SSL certificate using OpenSSL, complete the following steps:
Create the server wallet.
Create a new directory and change to the directory:
mkdir wallet.server cd wallet.server
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj <subject>
For example:
openssl req -new -key server.key -out server.csr -subj '/C=CN/CN=psft'
openssl genrsa -out caCert.key 4096
openssl req -new -x509 -days 1826 -key caCert.key -out caCert.crt -subj <subject>
For example:
openssl req -new -x509 -days 1826 -key caCert.key -out caCert.crt -subj '/C=US/OU=Class 2 Public Primary Certification Authority/O=VeriSign'
openssl x509 -req -days 730 -in server.csr -CA caCert.crt -CAkey caCert.key -set_serial 01 -out server.crt
openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:password
For example:
openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:password
Create the Workstation wallet.
Create a new directory and change to the directory:
mkdir wallet.client cd wallet.client
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj '/C=CN/CN=wscpsft'
Copy server's truststore to client:
Change directory:
cd ..
cp wallet.server\caCert.crt wallet.client
cp wallet.server\caCert.key wallet.client
cd wallet.client
openssl x509 -req -days 730 -in client.csr -CA caCert.crt -CAkey caCert.key -set_serial 01 -out client.crt
openssl pkcs12 -export -out ewallet.p12 -inkey client.key -in client.crt -chain -CAfile caCert.crt -passout pass:password
For example:
openssl pkcs12 -export -out ewallet.p12 -inkey client.key -in client.crt -chain -CAfile caCert.crt -passout pass:password
To remove the client wallet password:
cp ewallet.p12 oldwallet.p12
openssl pkcs12 -clcerts -nokeys -in oldwallet.p12 -out certificate.crt -password pass:password -passin pass:password
openssl pkcs12 -cacerts -nokeys -in oldwallet.p12 -out ca-cert.ca -password pass:password -passin pass:password
openssl pkcs12 -nocerts -in oldwallet.p12 -out private.key -password pass:password -passin pass:password -passout pass:temp
openssl rsa -in private.key -out NewKeyFile.key -passin pass:temp
cat certificate.crt ca-cert.ca >PEM.pem
openssl pkcs12 -export -nodes -in PEM.pem -inkey NewKeyFile.key -out ewallet.p12 -passout pass:TrustedCertsOnlyNoPWNeeded
Add the server's certificate to the PIA's truststore.
cd %ORACLE_HOME%\jdk\bin
keytool -import -file <server_wallet>/<certificate> -alias srvcert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt
For example:
keytool -import -file wallet.server\caCert.crt -alias srvcert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt