1. Oracle GoldenGate Microservices Documentation
  2. Quickstarts
  3. Connecting Two Deployments Using a Common RootCA Certificate
  4. Create Client, Server, and Trusted Chain Certificates

Create Client, Server, and Trusted Chain Certificates

This part of the quickstart is a prerequisite to Connect the Two Deployments through the Distribution Path.

In a production environment, certificates are provided by a digital certificate authority such as DigiCert. However, in a testing environment, you can generate certificates using the instructions in this quickstart.

Note:

Make sure that the latest JDK is installed and the JAVA_HOME environment variable is set up. This is required to run the orapki utility.

Follow the steps in this topic, to create server, client, and trusted certificate chains on the source and target deployments.

Source Deployment:

  1. Create a rootCA certificate.

    1. Use the configuration file similar to the following, for rootCA.cfg:

      [ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
x509_extensions = usr_cert
[ req_distinguished_name ]
commonName = "gg-Root"
[ v3_req ]
basicConstraints=CA:TRUE
[ v3_ca ]
basicConstraints=CA:TRUE
[ usr_cert ]
basicConstraints=CA:TRUE
[ my_extensions ]
    2. Use the following command to create the rootCA certificate:
      openssl req -x509 -newkey rsa:4096 -keyout rootCA.key -out rootCA.cert -days 73000 -nodes -config
rootCA.cfg
  2. Create a Server Certificate.
    1. Make a directory server and navigate to this directory.
      mkdir server
cd server
    2. View the server configuration file, server.cfg
      [ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = "west.oracle.com"
[ my_extensions ]
    3. Create the server certificate.
      openssl req -new -newkey rsa:2048 -nodes -keyout servery -out servery -config server.cfg

openssl x509 -req -days 73000 -in server.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out
server.cert
  3. Create an empty auto-login Oracle wallet for Server.
    orapki wallet create -wallet ../server -auto_login

    When prompted, enter the password for logging in to the wallet.

  4. Create a pkcs#12 file using the server certificate and trusted certificate (rootCA) chain details.
    openssl pkcs12 -export -out server.p12 -inkey server.key -in server.cert -chain -CAfile ../rootCA.cert

    Provide the password, if prompted.

  5. Import the pkcs#12 file into the auto-login wallet.
    orapki wallet import_pkcs12 -wallet ../server -pkcs12file ./server.p12

    Enter the password when prompted.

  6. Review the content of the wallet.

    orapki wallet display -wallet ../server/ -complete

    Note:

    Make sure that you have the latest JDK installed on the system.
  7. Create the client configuration file and client wallet with the client certificate.
    1. Make directory client.
      cd ..
mkdir client
cd client
cat >client.cfg <<EOF
      Client configuration file (client.cfg):
      [ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = "client_src"
[ my_extensions ]
EOF

    2. Create the client certificate, using the steps shown in the following code snippet:

      openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -config client.cfg
openssl x509 -req -days 73000 -in client.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out
client.cert
    3. Create an empty auto-login wallet for the client.
      orapki wallet create -wallet ../client -auto_login

    4. Create a pkcs#12 file using the client certificate and trusted certificate (rootCA) chain details. 

      openssl pkcs12 -export -out client.p12 -inkey ./client.key -in ./client.cert -chain -CAfile ../rootCA.cert
    5. Import the pkcs#12 file into the auto-login wallet.
      orapki wallet import_pkcs12 -wallet ../client -pkcs12file ./client.p12

    6. Review the content of the client wallet.

      orapki wallet display -wallet ../client/ -complete

Target Deployment

Repeat the same steps to create the target server and client certificate, as were used for generating the source server and client certificate.

  1. Copy the rootCA certificate created previously, to the target deployment.

  2. Generate the target server certificate, as shown in the following code snippet:

    ## a. Make target directory 
cd ..
mkdir target
cd target

## b. Create target configuration file
cat > target.cfg << EOF

## c. Target Configuration File (target.cfg)
[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = "east.oracle.com"
[ my_extensions ]
EOF

## d. Create the certificate for the target server
openssl req -new -newkey rsa:2048 -nodes -keyout target.key -out target.csr -config target.cfg
openssl x509 -req -days 73000 -in target.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out
target.cert

## e. Create an empty auto-login wallet for the target certificate
orapki wallet create -wallet ../target -auto_login

## f. Create a pkcs#12 file using the target certificate and trusted certificate chain details
openssl pkcs12 -export -out target.p12 -inkey ./target.key -in ./target.cert -chain -CAfile ../rootCA.cert

## g. Import the pkcs#12 file into the auto-login wallet
orapki wallet import_pkcs12 -wallet ../target -pkcs12file ./target.p12

## h. Review the content of the wallet
orapki wallet display -wallet ../target/ -complete
  3. Generate the target client certificate:
    ## make directory 
cd ..
mkdir client
cd client
cat >client.cfg <<EOF
    ## client configuration file 
[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = "client_trg"
[ my_extensions ]
EOF
    ##command to generate the client certificate
openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -config client.cfg
openssl x509 -req -days 73000 -in client.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out
client.cert

    ## Create an empty auto-login wallet for the target certificate
orapki wallet create -wallet ../client -auto_login

## Create a pkcs#12 file using the target certificate and trusted certificate chain details.
openssl pkcs12 -export -out client.p12 -inkey ./client.key -in ./client.cert -chain -CAfile ../rootCA.cert

## Import the pkcs#12 file into the auto-login wallet
orapki wallet import_pkcs12 -wallet ../client -pkcs12file ./client.p12

## Review the content of the wallet
orapki wallet display -wallet ../client/ -complete