ORAPKI

11.18 ORAPKI

The orapki utility is a command-line tool designed to manage public key infrastructure (PKI) components, including wallets and certificate revocation lists. By operating via the command line, it allows these tasks to be seamlessly integrated into scripts, enabling automation of routine PKI maintenance activities.

For more information on orapki utility commands , see orapki Utility Commands Summary

11.18.1 ADD

Adds certificate requests and certificates to an Oracle wallet. It also enables you to download the TLS certificate chain from an HTTPS endpoint and add it to an existing Oracle wallet as trusted certificates. This simplifies configuring wallets for endpoints that use certificates not already trusted by your environment (for example, endpoints using self-signed certificates or private Certificate Authorities).

Syntax

add {OPTIONS}

Options

Option	Description
Required
`-wallet <wallet> {FILE}`	Specifies the location of the Oracle wallet.
Optional
`-pwd <pwd>`	Specifies the password of the Oracle wallet.
`-dn <dn>`	Specifies the distinguished name of the certificate to add.
`-alias <alias>`	Specifies an alias for the certificate.
`-asym_alg <asym_alg>`	Specifies the asymmetric algorithm to use (RSA or ECC).
`-keysize <keysize>`	Specifies the requested certificate's key size. The key size identifiers are 512, 1024, 2048, 4096, 8192, 16384.
`-eccurve <eccurve>`	Specifies the elliptic curve for ECC algorithms.
`-self_signed`	Specifies that the certificate should be self-signed.
`-validity <validity>`	Specifies the certificate validity measured in days, starting from the current date.
`-valid_from <valid_from>`	Specifies the start date of certificate validity (format: mm/dd/yyyy or yymmdd-hhmmss-z).
`-valid_until <valid_until>`	Specifies the end date of certificate validity (format: mm/dd/yyyy or yymmdd-hhmmss-z).
`-serial_file <serial_file> {FILE}`	Specifies the file location to store or read the serial number for the certificate.
`-serial_num <serial_num>`	Specifies an identification number for the certificate.
`-sign_alg <sign_alg>`	Specifies the signature algorithm that can be used by CA to sign the certificate.
`-addext_ski`	Adds a Subject Key Identifier (SKI) extension to the certificate.
`-addext_ku <addext_ku>`	Adds key usages. The supported keys are: `digitalSignature` `nonRepudiation` `keyEncipherment` `dataEncipherment` `keyAgreement` `keyCertSign` `cRLSign` `encipherOnly` `decipherOnly`
`-addext_basic_cons <addext_basic_cons>`	Adds basic constraints' extension. This extension mentions that the certificate request is CA.
`-pathlen <pathlen>`	Specifies the path length for the basic constraints extension.
`-addext_san <addext_san>`	Adds Subject Alternative Name (SAN) extension with DNS, IP, or IPV6 addresses. It only allows adding domain names separated by a comma. For example: `DNS:<value1>,DNS:<value2>,DNS:<value3>` OR `DNS:ns1.example.com,DNS:ns2.example.com`
`-cert <cert> {FILE}`	Specifies the certificate location.
`-trusted_cert`	Specifies that the certificate is a trusted certificate.
`-user_cert`	Specifies that the certificate is a user certificate.
`-auto_login_only`	Specifies that the Oracle wallet is in auto-login-only mode.
`-trust_flags <trust_flags>`	Specifies the trust flags (`SERVER_AUTH`, `CLIENT_AUTH`, `VALID_PEER`, or `NULL`) to be added to the certificate
`-from_uri <from_uri>`	Specifies the HTTPS URL of the endpoint whose TLS certificate chain needs to be downloaded and added to the Oracle wallet. The URL must use the `https:// scheme`, and the port defaults to 443 if not specified.

Examples

Download and add TLS certificates from a public endpoint:

SQL> orapki wallet add -wallet /u01/app/oracle/admin/db_wallet -trusted_cert \
     -from_uri https://www.example.com -pwd MySecurePassword

Add a self-signed certificate to a wallet:

SQL> orapki wallet add -wallet /u01/app/oracle/admin/db_wallet
             -dn "CN=server.in.oracle.com, OU=Support, O=Oracle, L=Jaipur,
            ST=Rajasthan, C=IN"
             -asym_alg RSA -keysize 2048 -self_signed -validity 365 -addext_ski
            -addext_ku digitalSignature,nonRepudiation,keyEncipherment

Add a certificate file to the wallet:

 SQL> orapki wallet add -wallet /u01/app/oracle/admin/db_wallet -cert
        /path/to/certificate.pem -pwd MySecurePassword

Add a certificate with SAN extension:

SQL> orapki wallet add -wallet /u01/app/oracle/admin/db_wallet -dn
        "CN=example.com" -asym_alg RSA
             -keysize 2048 -addext_san "DNS:example.com,IPV4:192.168.1.1" -pwd
            MySecurePassword