Create Client, Server, and Trusted Chain Certificates
This part of the quickstart is a prerequisite to Connect the Two Deployments through the Distribution Path.
Note:
Make sure that the latest JDK is installed and theJAVA_HOME
environment variable is
set up. This is required to run the orapki utility.
Follow the steps in this topic, to create server, client, and trusted certificate chains on the source and target deployments.
Source Deployment:
-
Create a rootCA certificate.
-
Use the configuration file similar to the following, for rootCA.cfg:
[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_ca x509_extensions = usr_cert [ req_distinguished_name ] commonName = "gg-Root" [ v3_req ] basicConstraints=CA:TRUE [ v3_ca ] basicConstraints=CA:TRUE [ usr_cert ] basicConstraints=CA:TRUE [ my_extensions ]
-
Use the following command to create the rootCA certificate:
openssl req -x509 -newkey rsa:4096 -keyout rootCA.key -out rootCA.cert -days 73000 -nodes -config rootCA.cfg
-
- Create a Server Certificate.
- Make a directory
server
and navigate to this directory.mkdir server cd server
-
View the server configuration file,
server.cfg
[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName = "west.oracle.com" [ my_extensions ]
-
Create the server certificate.
openssl req -new -newkey rsa:2048 -nodes -keyout servery -out servery -config server.cfg openssl x509 -req -days 73000 -in server.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out server.cert
- Make a directory
-
Create an empty auto-login Oracle wallet for Server.
orapki wallet create -wallet ../server -auto_login
When prompted, enter the password for logging in to the wallet.
-
Create a
pkcs#12
file using the server certificate and trusted certificate (rootCA) chain details.openssl pkcs12 -export -out server.p12 -inkey server.key -in server.cert -chain -CAfile ../rootCA.cert
Provide the password, if prompted.
-
Import the
pkcs#12
file into the auto-login wallet.orapki wallet import_pkcs12 -wallet ../server -pkcs12file ./server.p12
Enter the password when prompted.
-
Review the content of the wallet.
orapki wallet display -wallet ../server/ -complete
Note:
Make sure that you have the latest JDK installed on the system. -
Create the client configuration file and client wallet with the client certificate.
-
Make directory client.
cd .. mkdir client cd client cat >client.cfg <<EOF
Client configuration file (client.cfg):[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName = "client_src" [ my_extensions ] EOF
-
Create the client certificate, using the steps shown in the following code snippet:
openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -config client.cfg openssl x509 -req -days 73000 -in client.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out client.cert
-
Create an empty auto-login wallet for the client.
orapki wallet create -wallet ../client -auto_login
-
Create a
pkcs#12
file using the client certificate and trusted certificate (rootCA) chain details.openssl pkcs12 -export -out client.p12 -inkey ./client.key -in ./client.cert -chain -CAfile ../rootCA.cert
-
Import the
pkcs#12
file into the auto-login wallet.orapki wallet import_pkcs12 -wallet ../client -pkcs12file ./client.p12
-
Review the content of the client wallet.
orapki wallet display -wallet ../client/ -complete
-
Target Deployment
-
Copy the rootCA certificate created previously, to the target deployment.
-
Generate the target server certificate, as shown in the following code snippet:
## a. Make target directory cd .. mkdir target cd target ## b. Create target configuration file cat > target.cfg << EOF ## c. Target Configuration File (target.cfg) [ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName = "east.oracle.com" [ my_extensions ] EOF ## d. Create the certificate for the target server openssl req -new -newkey rsa:2048 -nodes -keyout target.key -out target.csr -config target.cfg openssl x509 -req -days 73000 -in target.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out target.cert ## e. Create an empty auto-login wallet for the target certificate orapki wallet create -wallet ../target -auto_login ## f. Create a
pkcs#12
file using the target certificate and trusted certificate chain details openssl pkcs12 -export -out target.p12 -inkey ./target.key -in ./target.cert -chain -CAfile ../rootCA.cert ## g. Import the pkcs#12 file into the auto-login wallet orapki wallet import_pkcs12 -wallet ../target -pkcs12file ./target.p12 ## h. Review the content of the wallet orapki wallet display -wallet ../target/ -complete -
Generate the target client certificate:
## make directory cd .. mkdir client cd client cat >client.cfg <<EOF
## client configuration file [ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName = "client_trg" [ my_extensions ] EOF
##command to generate the client certificate openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -config client.cfg openssl x509 -req -days 73000 -in client.csr -CA ../rootCA.cert -CAkey ../rootCA.key -CAcreateserial -out client.cert
## Create an empty auto-login wallet for the target certificate orapki wallet create -wallet ../client -auto_login ## Create a
pkcs#12
file using the target certificate and trusted certificate chain details. openssl pkcs12 -export -out client.p12 -inkey ./client.key -in ./client.cert -chain -CAfile ../rootCA.cert ## Import the pkcs#12 file into the auto-login wallet orapki wallet import_pkcs12 -wallet ../client -pkcs12file ./client.p12 ## Review the content of the wallet orapki wallet display -wallet ../client/ -complete