ttCreateCerts

The ttCreateCerts utility creates Oracle Wallets and certificates that are used when configuring Transport Layer Security (TLS) in TimesTen client/server and replication environments.

About Transport Layer Security (TLS)

TLS is an industry standard protocol for securing network connections. TLS provides authentication, data encryption, and data integrity. The TLS protocol is the foundation of a public key infrastructure (PKI). For authentication, TLS uses digital certificates that comply with the X.509v3 standard and a public and private key pair. With a public and a private key pair, a set of two numbers are used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms. See the Oracle Database Security Guide.

About Public Key Infrastructure (PKI)

PKI utilizes the principles of asymmetric key operations (also called public key cryptography). To support PKI, the TimesTen ttCreateCerts utility creates and manages several PKI elements, including Oracle Wallets and digital certificates.

An Oracle Wallet is a container that stores authentication and signing credentials, including private keys and certificates that TLS needs. Entities (like TimesTen client/server or TimesTen replication) that communicate over TLS must have one or more Oracle Wallets, each of which contains the necessary keys and certificates for TLS.

There are different wallet types. The ttCreateCerts utility creates read/write wallets that do not require a user password. Each wallet consists of a Single Sign-On (SSO) file called cwallet.sso and each wallet is in PKCS#12 format. The ttCreateCerts utility creates a root wallet, a server wallet, and a client wallet.

A certificate (also called a PKI digital certificate) is a wallet component that validates the identity of an end entity in a public key or private key exchange that uses the wallet. A certificate is an International Telecommunications Union (ITU) x.509 v3 standard data structure that securely binds an identity to a public key. It is created when a public key of an entity is signed by a trusted identity. The certificate ensures that information in the entity is correct, and that the public key belongs to the entity.

TimesTen supports several types of certificates, including self-signed certificates. A self-signed certificate is a digital certificate that is created, issued, and digitally signed by the server, rather than by a publicly trusted third-party Certificate Authority (CA). A certificate is self-signed if the issuer's name (who signed it) and the subject's name (who it belongs to) are the same.

The ttCreateCerts utility creates a self-signed root certificate and uses it to sign the server's certificate for both client/server and replication. TimesTen stores the server certificate and self-signed root certificate in a server wallet. In a TimesTen client/server environment, for a client to be able to trust the server certificate, a copy of the self-signed root certificate is needed by the client. The ttCreateCerts utility creates a client wallet and stores the self- signed root certificate in it.

About TimesTen Support for PKI Elements

TimesTen uses asymmetric key pairs when configuing TLS. TimesTen supports the following:

• ECDSA (Elliptic Curve Digital Signature Algorithm): A public-key asymmetric cryptographic algorithm that uses math from elliptic curves to create strong digital signatures. TimesTen supports the p256, p384 (default), and p521 elliptic curves and the ecdsasha256, ecdsasha384 (default), and ecdsasha512 elliptic curve signing algorithms.

• RSA (Rivest-Shamir-Adleman): A pair of cryptographic keys, a public key and a private key that rely on the difficulty of factoring large numbers (product of two primes). TimesTen supports 2048 and 4096 key sizes (expressed in bits) with 4096 being the default. The supported signing algorithms are sha256, sha384, and sha512 (default).

TimesTen supports storing and managing PKI credentials (including keys and X.509 certificates) in Oracle Wallets. Oracle Wallets adhere to PKCS #12 (Public-Key Cryptography Standards), storing private keys and certificates securely.

The ttCreateCerts utility provides options, such as -asym_alg, -sign_alg, -keysize, and -eccurve that allow you to specify the asymmetric cryptographic algorithm, the signing algorithm, the eccurve (for ECDSA), and the key size (for RSA).

How ttCreateCerts Configures TLS

Let's explore how ttCreateCerts creates Oracle Wallets and Certificates and performs the necessary steps to configure TLS.

Note:

This is for example purposes only.

1. Creates a root wallet in the directory you specify. The name of the directory that holds the wallet is rootWallet. In it is a cwallet.sso file. Ignore the .lck file.

   $ ls
   rootWallet
   $ ls rootWallet
   cwallet.sso  cwallet.sso.lck

2. Creates a self-signed root certificate for the root CA wallet. Note the Subject and Issuer are the same.

   $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/rootWallet -complete"
   Requested Certificates:
   User Certificates:
   Subject:        CN=ecRoot,C=US
   Issuer:         CN=ecRoot,C=US
   Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
   Key Length      384
   MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
   SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF
   
   Trusted Certificates:
   Subject:        CN=ecRoot,C=US
   Issuer:         CN=ecRoot,C=US
   Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
   Key Length      384
   MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
   SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

3. Exports the trusted root certificate into a file called root.cert. Note the certificate uses the default ECC key, default eccurve, and default signing algorithm. You can override the defaults at the ttCreateCerts command line.

   $ ls
   root.cert  rootWallet

   $ openssl x509 -in wallets/ecc/root.cert -noout -text
   Certificate:
       Data:
           Version: 1 (0x0)
           Serial Number:
               49:08:c9:ca:d9:c5:6f:e4:22:b7:96:c5:55:e0:96:49
           Signature Algorithm: ecdsa-with-SHA384
           Issuer: C = US, CN = ecRoot
           Validity
               Not Before: Dec 11 13:49:09 2025 GMT
               Not After : Dec  9 13:49:09 2035 GMT
           Subject: C = US, CN = ecRoot
           Subject Public Key Info:
               Public Key Algorithm: id-ecPublicKey
                   Public-Key: (384 bit)
                   pub:
                       04:18:94:29:eb:a4:0d:b7:0e:db:ce:1b:82:61:d2:
                       dd:c9:d3:d6:c2:a3:25:49:72:67:2b:44:92:cf:db:
                       5c:c5:ce:7d:8d:c4:4d:55:7e:85:de:0f:52:59:08:
                       2e:3d:02:e0:35:14:36:0a:b4:6d:7f:a7:5e:12:0a:
                       49:ba:ff:21:ea:48:2d:9e:a5:6f:55:36:e9:e1:35:
                       a5:c8:da:68:71:35:54:3a:85:6c:29:83:2d:bc:10:
                       ff:70:73:e0:ab:8f:22
                   ASN1 OID: secp384r1
                   NIST CURVE: P-384
       Signature Algorithm: ecdsa-with-SHA384
            30:65:02:30:44:70:ae:0a:b4:fa:9e:fd:42:be:af:b2:1b:48:
            c6:d8:44:95:1b:53:7f:5f:a3:16:0f:6d:1e:43:69:52:46:14:
            cf:c7:a8:99:4c:ee:93:f7:c6:88:48:e6:dd:1a:a8:5a:02:31:
            00:e0:a2:f2:00:9c:d6:16:2a:be:4c:f0:5b:ab:bf:7c:29:21:
            c3:c1:1b:70:33:10:b9:2f:75:ac:fc:51:b7:57:d4:a9:ad:33:
            8a:4f:e9:13:b6:cc:d4:b0:4f:d1:5e:11:78

4. Creates the server wallet. The location of the wallet is serverWallet. In serverWallet is a cwallet.sso file.

   $ ls serverWallet
   cwallet.sso  ...

5. Adds the trusted root certificate to the server wallet.

   $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/serverWallet -complete"               Requested Certificates:
   User Certificates:
   Trusted Certificates:
   Subject:        CN=ecRoot,C=US
   Issuer:         CN=ecRoot,C=US
   Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
   Key Length      384
   MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
   SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

6. Adds a private key and request certificate in the server wallet using the same key and signing algorithm.

   $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/serverWallet -complete"               
   Requested Certificates:
   Subject:        CN=server1,C=US
   Key Length:     384
   
   User Certificates:
   Trusted Certificates:
   Subject:        CN=ecRoot,C=US
   Issuer:         CN=ecRoot,C=US
   Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
   Key Length      384
   MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
   SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

7. Exports the certificate request to get it signed. The name of the request is server1.request.

   $ ls
   root.cert  rootWallet  server1.request  serverWallet

   $ cat wallets/server1.request
   -----BEGIN NEW CERTIFICATE REQUEST-----
   MIIBGDCBngIBADAfMQswCQYDVQQGEwJVUzEQMA4GA1UEAxMHc2VydmVyMTB2MBAG
   ByqGSM49AgEGBSuBBAAiA2IABA9W+6uboRU3BM/pTKjl/EAgW1lGk/2UapgcprCX
   14JC83d6BAV1/uc2VwXdTe/6HffBMa9vSItMOFuYQsOUmfHvcUEd8Ex2jwWphChy
   KjrsPVjF40b6R5ozJHh5NZO3qaAAMAwGCCqGSM49BAMDBQADZwAwZAIwEOuo3KsB
   fIEOKfakjCImAwOjWyoAX+ABTz+9OwjXr2azCfKw8nUSw3MTrbKUfmJOAjAMG6ZU
   royrOkb+yRnLCIf5GW9r2fTXVqmoREddSmGf2mlA2sAy+jURIfeAI2COb0w=
   -----END NEW CERTIFICATE REQUEST-----

8. Signs the certificate request using the self-signed root wallet. The server1.cert certificate is the signed certificate.

   $ ls
   root.cert  rootWallet  server1.cert  server1.request  serverWallet
   

   $ cat server1.cert
   -----BEGIN CERTIFICATE-----
   MIIBZjCB6gIBADAMBggqhkjOPQQDAwUAMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQD
   EwZlY1Jvb3QwHhcNMjUxMjExMTQyNzQzWhcNMzUxMjA5MTQyNzQzWjAfMQswCQYD
   VQQGEwJVUzEQMA4GA1UEAxMHc2VydmVyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
   BA9W+6uboRU3BM/pTKjl/EAgW1lGk/2UapgcprCX14JC83d6BAV1/uc2VwXdTe/6
   HffBMa9vSItMOFuYQsOUmfHvcUEd8Ex2jwWphChyKjrsPVjF40b6R5ozJHh5NZO3
   qTAMBggqhkjOPQQDAwUAA2kAMGYCMQCuew8xBMEcMclUtrH96XVJv4UCexKKQMK6
   BpJks2/sIE4FY3OfkejKh3FmQlkrWZwCMQDMn6ivKd4x7bRDv23VkZ/erkydHMbb
   PUHhEOufQ6/Wwm50VzSATlR9AmTKXmcreOg=
   -----END CERTIFICATE-----

9. Imports the signed server user certificate into the server wallet. Note that the server certificate is displayed under User Certificates and the Subject and Issuer are different.

   $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/serverWallet -complete"
   Requested Certificates:
   User Certificates:
   Subject:        CN=server1,C=US
   Issuer:         CN=ecRoot,C=US
   Serial Number:  00
   Key Length      384
   MD5 digest:     2D:07:F1:F8:34:23:92:8F:BD:15:98:A7:5C:B8:CF:EA
   SHA digest:     B5:F9:81:63:F3:C7:39:E0:B8:54:37:42:D4:FE:3F:1C:C6:44:9C:12
   
   Trusted Certificates:
   Subject:        CN=ecRoot,C=US
   Issuer:         CN=ecRoot,C=US
   Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
   Key Length      384
   MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
   SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

10. Creates the client wallet. The location of the wallet is clientWallet. In it is a cwallet.sso file.

    $ ls clientWallet
    cwallet.sso  ...

11. Adds the trusted root certificate into the wallet.

    $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/clientWallet -complete"
    Requested Certificates:
    User Certificates:
    Trusted Certificates:
    Subject:        CN=ecRoot,C=US
    Issuer:         CN=ecRoot,C=US
    Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
    Key Length      384
    MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
    SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

12. Adds a private key and certificate request in the client wallet. This step does not occur if -noclient is specified.

    $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/clientWallet -complete"               Requested Certificates:
    Subject:        CN=client1,C=US
    Key Length:     384
    
    User Certificates:
    Trusted Certificates:
    Subject:        CN=ecRoot,C=US
    Issuer:         CN=ecRoot,C=US
    Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
    Key Length      384
    MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
    SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

13. Exports the client certificate request to get it signed. This step does not occur if -noclient is specified.

    $ cat client1.request
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIBGjCBngIBADAfMQswCQYDVQQGEwJVUzEQMA4GA1UEAxMHY2xpZW50MTB2MBAG
    ByqGSM49AgEGBSuBBAAiA2IABPHf1llWyhG+1ShYt8TcbCNGP9SERmelcrfJsYtH
    ww6AnCytLG/OlIEijjjJ4OsjZhe4jfWoi9gZRWt3aK99OWYcsaBgcaD9ckI3gLF7
    5izrwejKdugaI65c4ubTeImYwKAAMAwGCCqGSM49BAMDBQADaQAwZgIxAP7sQpiY
    m69xfkrx4bVUl0qvjdDPL6fUpS9DLmNiAhaRa8yc/e7YPcBEk2EX8934cwIxAL64
    bkgHL3qe3WSxu5PGH0sSXVhcm4zC+KHaqhBOajiecjAMzl5PXZdvCLngtLmTcA==
    -----END NEW CERTIFICATE REQUEST-----

14. Signs the certificate using the self-signed root wallet, creating a file called client1.cert.

    $ ls
    client1.cert     clientWallet  rootWallet    server1.request
    client1.request  root.cert     server1.cert  serverWallet

    $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/clientWallet -complete"               
    Requested Certificates:
    Subject:        CN=client1,C=US
    Key Length:     384
    
    User Certificates:
    Trusted Certificates:
    Subject:        CN=ecRoot,C=US
    Issuer:         CN=ecRoot,C=US
    Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
    Key Length      384
    MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
    SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

15. Imports the signed client user certificate into the client wallet. The client certificate is now displayed under User Certificates.

    $ ttCreateCerts -run "wallet display -wallet /wallets/ecc/clientWallet -complete"               Requested Certificates:
    User Certificates:
    Subject:        CN=client1,C=US
    Issuer:         CN=ecRoot,C=US
    Serial Number:  00
    Key Length      384
    MD5 digest:     3A:E4:48:40:74:34:90:E6:25:3D:18:5D:76:0E:D1:EF
    SHA digest:     2C:AE:AC:ED:20:0A:9B:8E:6B:EC:2E:45:0E:D6:82:01:27:79:35:44
    
    Trusted Certificates:
    Subject:        CN=ecRoot,C=US
    Issuer:         CN=ecRoot,C=US
    Serial Number:  49:08:C9:CA:D9:C5:6F:E4:22:B7:96:C5:55:E0:96:49
    Key Length      384
    MD5 digest:     77:4A:3C:FF:25:50:3A:6B:E9:D4:12:4F:7F:80:71:DF
    SHA digest:     02:97:A9:A5:D5:8A:A6:C4:1B:9B:17:FE:11:3C:A4:CE:39:0B:27:BF

Next Steps:

You must complete additional steps to configure TLS for client/server and replication. These steps include specifying the location of the Oracle Wallets in your configuration, and specifying the correct cipher suites. See Configuration for TLS for Client/Server and Transport Layer Security for TimesTen Replication in Oracle TimesTen In-Memory Database Security Guide.

Note:

You must have Java JDK or JRE version 1.8 or higher on your system to use ttCreateCerts. The utility searches for it according to the JRE_HOME, JAVA_HOME, and PATH settings.

Required Privilege

The utility requires no privileges. However, since the utility may create and write files in directories, instance administrator privileges may be required.

Usage in TimesTen Scaleout and TimesTen Classic

This utility is supported in both TimesTen Classic and TimesTen Scaleout.

Syntax

ttCreateCerts -help
usage: ttCreateCerts [-dir WALLETDIR] [options...]
       ttCreateCerts [-h | -help]
       ttCreateCerts [-V | -version]
       ttCreateCerts [-showWallet WALLETDIR] [-json]
options:
  -f | -force
  -verbose
  -validity DAYS | -valid_from mm/dd/yyyy -valid_until mm/dd/yyyy
  -dryrun
  -fips140_mode
  -client | -noclient
  -sign_alg ALGORITHM (sha256 sha384 sha512 ecdsasha256 ecdsasha384 ecdsasha512)
  -asym_alg ECC -eccurve TYPE  (p256 p384 p521)
  -eccurve TYPE  (p256 p384 p521)
  -asym_alg RSA -keysize SIZE  (2048 4096)
  -keysize SIZE  (2048 4096)

Options

The following table shows the supported options for ttCreateCerts. The second column indicates if the option is supported for ECC or RSA keys or both.

Option	ECC or RSA Support	Description
-dir	Supported for both ECC and RSA	Specifies a directory where the wallets are placed, as an absolute path. The specified directory must already exist and cannot already contain wallets produced by ttCreateCerts, unless you use the -force option. The default is timesten_home/conf.
-h -help	Supported for both ECC and RSA	Shows help (showing the above syntax).
-v -V -version	Supported for both ECC and RSA	Displays the TimesTen release number.
-showWallet WALLETDIR [-json]	Supported for both ECC and RSA	Shows information about the certificate in the specified WALLETDIR directory. If the optional -json parameter is specified, ttCreateCerts displays the output in JSON format.
-f -force	Supported for both ECC and RSA	Overwrites any previous wallets in the specified directory.
-verbose	Supported for both ECC and RSA	Shows additional output from execution of the utility.
-validity	Supported for both ECC and RSA	One of two ways to specify the lifetime of the wallets that are created, expressed as a number of days from creation. The default is 3650 days, which can be overridden by setting either -validity or -valid_from and -valid_until.
-valid_from -valid_until	Supported for both ECC and RSA	The other way to specify the lifetime of the wallets that are created, expressed as a start and an end date in mm/dd/yyyy format.
-dryrun	Supported for both ECC and RSA	Echoes all the commands to be executed by ttCreateCerts to create the certificates as you specified, but without executing them. For options you do not set, you can use this to confirm what the default values are.
-fips140_mode	Supported for both ECC and RSA	Instructs ttCreateCerts to use FIPS mode when generating certificates. By default, ttCreateCerts does not run in FIPS mode. TimesTen does not support the -eccurve p521 option in FIPS mode.
-client | -noclient	Supported for both ECC and RSA	Indicates if ttCreateCerts adds a client certificate to the client wallet. If -client is specified, ttCreateCerts adds a client certificate to the client wallet. If -noclient is specified, ttCreateCerts does not add a client certificate to the client wallet. The default is -client.
-sign_alg sha256 |sha384 | sha512 |ecdsasha256 | ecdsasha384 | ecdsasha512	Supported for both ECC and RSA	Specifies the signature algorithm used to sign a certificate. Valid values are as follows: For ECC keys, you must use one of the following elliptic curve signing algorithms: ecdsasha256 ecdsasha384 (default for ECC keys) ecdsasha512 For RSA keys, you must use one of the following RSA signing algorithms: sha256 sha384 sha512 (default for RSA keys)
-asym_alg ECC -eccurve p256 | p384 | p521	Supported for ECC	The -asym_alg option indicates the asymmetric cryptographic algorithm to use when generating a key pair. Valid values are ECC and RSA. Ensure you use uppercase (for example, ECC or RSA). This option is specific to ECC: Refers to the Elliptic Curve Digital Signature Algorithm (ECDSA), which is a public-key asymmetric cryptographic algorithm that uses math from elliptic curves to create strong digital signatures. If ECC keys and the ECC asymmetric cryptographic algorithm are used to generate certificates, then the -eccurve option is valid. The -eccurve option specifies the curve on which an ECC key is generated. Valid values for -eccurve are p256 or p384 (default) or p521. See the Usage Rules section for more information about using the -asym_alg option.
-eccurve p256 | p384 | p521	Supported for ECC	The -eccurve option specifies the curve on which an ECC key is generated. Valid values for -eccurve are p256 or p384 (default) or p521. This option is only valid for ECC keys.
-asym_alg RSA -keysize 2048 | 4096	Supported for RSA	The -asym_alg option indicates the asymmetric cryptographic algorithm to use when generating a key pair. Valid values are ECC and RSA. Ensure you use uppercase (for example, ECC or RSA). This option is specific to RSA: RSA refers to a pair of cryptographic keys, a public key and a private key that are used for public-key encryption and digital signatures. If RSA keys and the RSA asymmetric cryptographic algorithm are used to generate certificates, then the -keysize option is valid. The -keysize option sets the key size (expressed in bits) for the RSA key. Supported key sizes are 2048 or 4096 (default).
-keysize 2048 | 4096	Supported for RSA	The -keysize option sets the key size (expressed in bits) for the RSA key. Supported key sizes are 2048 or 4096 (default). This option is only valid for RSA keys.

Usage Rules for ECC and RSA keys

Note the following usage rules:

• The -asym_alg option specifies which asymmetric cryptographic algorithm to use when generating a key pair.

  • If the algorithm is RSA, you can specify -keysize to set the size of the RSA key to be generated.

  • If the algorithm is ECC, you can specify -eccurve to set the ECC curve on which the key is generated. TimesTen does not support the p521 ECC curve in FIPS mode.

• If you do not specify -asym_alg, the following rules apply:

  • If you specify -eccurve and -keysize, the ttCreateCerts utility returns an error.

  • If you only specify -eccurve, ttCreateCerts uses the ECC algorithm.

  • If you only specify -keysize, ttCreateCerts uses the RSA algorithm.

  • If you do not specify -eccurve or -keysize, ttCreateCerts uses the ECC algorithm.

Additional Considerations

The ttCreateCerts utility also has a -run option that allows you to run commands of the Oracle orapki utility to manage Public Key Infrastructure (PKI) elements. Place the orapki command in quotes, such as in this example:

% ttCreateCerts -run "wallet create -wallet serverWallet -auto_login_only"

For more information on the discussion of using certificates signed by a certificate authority, see Create the Server Wallet and Create the Client Wallet in Oracle TimesTen In-Memory Database Security Guide.

For information about orapki, see Oracle Database Security Guide.

In addition to using ttCreateCerts manually, you can configure a TimesTen instance for TLS. When you do this, TimesTen runs ttCreateCerts to create Oracle Wallets and certificates for use at the instance level. See ttInstanceCreate.

The ttCreateCerts utility is located in the bin directory of a TimesTen instance. To avoid having to specify the full path, set TIMESTEN_HOME before you run ttCreateCerts. You can accomplish this by sourcing the ttenv.sh or ttenv.csh script from the instance bin directory.

Examples Illustrating the Use of ECC and RSA

Example 1:

Use the ttCreateCerts utility to create Oracle Wallets and certificates using the RSA asymmetric cryptographic algorithm with a key size of 2048 and a signing algorithm of sha384. This example assumes you have previously created the wallets/rsa subdirectory from a directory of your choice.

$ ttCreateCerts -dir wallets/rsa -asym_alg RSA -keysize 2048 -sign_alg sha384
ttCreateCerts : certificates created in wallets/rsa

Review the directory.

$ ls wallets/rsa
client1.cert  clientWallet  root.cert  rootWallet  server1.cert  serverWallet

Show Oracle Wallet information.

$ ttCreateCerts -showWallet wallets/rsa/rootWallet
NAME                                                        HOLDER          EXPIRATION
wallets/rsa/rootWallet/cwallet.sso                          CN=ecRoot,C=US  Sun Dec 09 12:27:23 UTC 2035

$ ttCreateCerts -showWallet wallets/rsa/serverWallet
NAME                                                          HOLDER           EXPIRATION
wallets/rsa/serverWallet/cwallet.sso                          CN=server1,C=US  Sun Dec 09 12:27:32 UTC 2035

$ ttCreateCerts -showWallet wallets/rsa/clientWallet
NAME                                                          HOLDER           EXPIRATION
wallets/rsa/clientWallet/cwallet.sso                          CN=client1,C=US  Sun Dec 09 12:27:40 UTC 2035

Verify the key used to generate the root and server certificates is RSA.

$ openssl x509 -in wallets/rsa/root.cert -noout -text | grep "Public Key Algorithm"
            Public Key Algorithm: rsaEncryption

$ openssl x509 -in wallets/rsa/server1.cert -noout -text | grep "Public Key Algorithm"
            Public Key Algorithm: rsaEncryption

Example 2:

Use the ttCreateCerts utility to create Oracle Wallets and certificates using the ECDSA (ECC) asymmetric cryptographic algorithm with an elliptic curve of p521 and a signing algorithm of ecdsasha512. This example assumes you have previously created the wallets/ecc subdirectory from a directory of your choice.

$ ttCreateCerts -dir wallets/ecc -asym_alg ECC -eccurve p521 -sign_alg ecdsasha512
ttCreateCerts : certificates created in wallets/ecc

Review the directory.

$ ls wallets/ecc
client1.cert  clientWallet  root.cert  rootWallet  server1.cert  serverWallet

Show Oracle Wallet information.

$ ttCreateCerts -showWallet wallets/ecc/rootWallet
NAME                                                        HOLDER          EXPIRATION
wallets/ecc/rootWallet/cwallet.sso                          CN=ecRoot,C=US  Sun Dec 09 12:50:08 UTC 2035

$ ttCreateCerts -showWallet wallets/ecc/serverWallet
NAME                                                          HOLDER           EXPIRATION
wallets/ecc/serverWallet/cwallet.sso                          CN=server1,C=US  Sun Dec 09 12:50:17 UTC 2035

 ttCreateCerts -showWallet wallets/ecc/clientWallet
NAME                                                          HOLDER           EXPIRATION
wallets/ecc/clientWallet/cwallet.sso                          CN=client1,C=US  Sun Dec 09 12:50:26 UTC 2035

Verify the key used to generate the root and server certificates is ECC.

$ openssl x509 -in wallets/ecc/root.cert -noout -text | grep "Public Key Algorithm"
            Public Key Algorithm: id-ecPublicKey

$ openssl x509 -in wallets/ecc/server1.cert -noout -text | grep "Public Key Algorithm"
            Public Key Algorithm: id-ecPublicKey

Additional Examples

This section provides ttCreateCerts examples that place the wallets in a wallets subdirectory under timesten_home/conf, where timesten_home is the full path to the TimesTen instance home directory.

The following example includes verbose output. (Without the -verbose option, only the last line is shown.)

% ttCreateCerts -verbose -dir timesten_home/conf/wallets
Requested Certificates:
User Certificates:
Subject:        CN=server1,C=US
Trusted Certificates:
Subject:        CN=ecRoot,C=US
Requested Certificates:
User Certificates:
Subject:        CN=client1,C=US
Trusted Certificates:
Subject:        CN=ecRoot,C=US
ttCreateCerts : certificates created in timesten_home/conf/wallets

Here are the results. You can ignore all but clientWallet and serverWallet.

% ls timesten_home/conf/wallets
client1.cert  clientWallet  root.cert  rootWallet  server1.cert  serverWallet
% ls timesten_home/conf/wallets/clientWallet
cwallet.sso
% ls timesten_home/conf/wallets/serverWallet
cwallet.sso

The next example is a dry run. No certificates are created (despite the last line). This shows only a snippet of the output:

% ttCreateCerts -dir timesten_home/conf/wallets -dryrun
...
+ /bin/java -Djava.security.egd=file:///dev/./urandom -Xms64m -Xmx512m -cp 
/scratch/classic221110/instances/tt221/install/lib/cryptoj_5_0.jar:
/scratch/classic221110/instances/tt221/install/lib/oraclepki.jar:
/scratch/classic221110/instances/tt221/install/lib/osdt_cert.jar:
/scratch/classic221110/instances/tt221/install/lib/osdt_core.jar 
oracle.security.pki.textui.OraclePKITextUI wallet add -wallet rootWallet -dn 
CN=ecRoot,C=US -sign_alg ecdsasha384 -self_signed -asym_alg ECC -eccurve p384 
-jsafe -validity 3650 -auto_login_only -nologo
...
ttCreateCerts : certificates created in timesten_home/conf/wallets

From this, you can see that the default settings are -sign_alg ecdsasha384, -eccurve p384, and -validity 3650 (days).

Here is another example that sets signing algorithm and size of the elliptical curve:

% ttCreateCerts -dir timesten_home/conf/wallets -sign_alg ecdsasha256 
-eccurve p256
ttCreateCerts : certificates created in timesten_home/conf/wallets

This example specifies that the certificates will expire one year from when they were created:

% ttCreateCerts -dir timesten_home/conf/wallets -validity 365
ttCreateCerts : certificates created in timesten_home/conf/wallets

Or, equivalently:

% ttCreateCerts -dir timesten_home/conf/wallets -valid_from 10/28/2022 
-valid_until 10/28/2025
ttCreateCerts : certificates created in timesten_home/conf/wallets

The next example tries to create wallets in a location where wallets already exist:

% ttCreateCerts -dir timesten_home/conf/wallets
ttCreateCerts: rootWallet is not empty, use -force to overwrite

This example tries again, using the -force option:

% ttCreateCerts -dir timesten_home/conf/wallets -f
ttCreateCerts : certificates created in timesten_home/conf/wallets

Recall the resulting wallets:

% ls -F timesten_home/conf/wallets
client1.cert   root.cert    server1.cert
clientWallet/  rootWallet/  serverWallet/
% ls timesten_home/conf/wallets/clientWallet
cwallet.sso
% ls timesten_home/conf/wallets/serverWallet
cwallet.sso

Copy the clientWallet directory, which includes the root certificate, to the desired location. This is preferably the same location on each client instance.

% mkdir timesten_home/conf/wallets
[...Copy clientWallet from the server...]
% cd timesten_home/conf/wallets
% ls
clientWallet
% ls clientWallet
cwallet.sso

Note:

Note and preserve the file and directory permissions of the wallet.