Setting Up Oracle Wallet Using OpenSSL

To set up Oracle Wallet using OpenSSL, use the following command:

openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:password

This table lists the command options:

Field or Control	Definition
-export	Indicates that a PKCS 12 file is being created.
-chain	Specifies that an attempt is made to include the entire certificate chain of the user certificate.
-inkey	Specifies the private key file.
-in	Specifies the file that contains the user certificate and any other certificates in the certificate chain. Note: If the private key and the certificate chain are in the same file, the -inkey and -in parameters can specify the same file.
-CAfile	Specifies a file containing trusted certificates.
-out	Specifies the output file name, which must be ewallet.p12 for an Oracle Wallet.
-passin	Specifies the password for the private key file.
-passout	Specifies the password for the newly created wallet.

To create a self-signed SSL certificate using OpenSSL, complete the following steps:

Create the server wallet.
1. Create a new directory and change to the directory:
```
mkdir wallet.server
cd wallet.server
```
2. openssl genrsa -out server.key 4096
3. openssl req -new -key server.key -out server.csr -subj <subject>
  For example:
```
openssl req -new -key server.key -out server.csr -subj '/C=CN/CN=psft'
```
4. openssl genrsa -out caCert.key 4096
5. openssl req -new -x509 -days 1826 -key caCert.key -out caCert.crt -subj <subject>
  For example:
```
openssl req -new -x509 -days 1826 -key caCert.key -out caCert.crt -subj '/C=US/OU=Class 2 Public Primary Certification Authority/O=VeriSign'
```
6. openssl x509 -req -days 730 -in server.csr -CA caCert.crt -CAkey caCert.key -set_serial 01 -out server.crt
7. openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:password
  For example:
```
openssl pkcs12 -export -out ewallet.p12 -inkey server.key -in server.crt -chain -CAfile caCert.crt -passout pass:password
```
Create the Workstation wallet.
1. Create a new directory and change to the directory:
```
mkdir wallet.client
cd wallet.client
```
2. openssl genrsa -out client.key 4096
3. openssl req -new -key client.key -out client.csr -subj '/C=CN/CN=wscpsft'
Copy server's truststore to client:
1. Change directory:
```
cd ..
```
2. cp wallet.server\caCert.crt wallet.client
3. cp wallet.server\caCert.key wallet.client
4. cd wallet.client
5. openssl x509 -req -days 730 -in client.csr -CA caCert.crt -CAkey caCert.key -set_serial 01 -out client.crt
6. openssl pkcs12 -export -out ewallet.p12 -inkey client.key -in client.crt -chain -CAfile caCert.crt -passout pass:password
  For example:
```
openssl pkcs12 -export -out ewallet.p12 -inkey client.key -in client.crt -chain -CAfile caCert.crt -passout pass:password
```
To remove the client wallet password:
1. cp ewallet.p12 oldwallet.p12
2. openssl pkcs12 -clcerts -nokeys -in oldwallet.p12 -out certificate.crt -password pass:password -passin pass:password
3. openssl pkcs12 -cacerts -nokeys -in oldwallet.p12 -out ca-cert.ca -password pass:password -passin pass:password
4. openssl pkcs12 -nocerts -in oldwallet.p12 -out private.key -password pass:password -passin pass:password -passout pass:temp
5. openssl rsa -in private.key -out NewKeyFile.key -passin pass:temp
6. cat certificate.crt ca-cert.ca >PEM.pem
7. openssl pkcs12 -export -nodes -in PEM.pem -inkey NewKeyFile.key -out ewallet.p12 -passout pass:TrustedCertsOnlyNoPWNeeded
Add the server's certificate to the PIA's truststore.
1. cd %ORACLE_HOME%\jdk\bin
2. keytool -import -file <server_wallet>/<certificate> -alias srvcert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt
  For example:
```
keytool -import -file wallet.server\caCert.crt -alias srvcert -keystore <PIA_HOME>\webserv\<DOMAIN_NAME>\piaconfig\keystore\pskey -storepass password -noprompt
```