Steps to create Self Signed Server and Client SSL Certificates in Oracle

Jamsher Khan 20 mins0
()

Steps to create Self Signed Server and Client SSL Certificates in Oracle

In the previous blog, we discuss in detail about Oracle Wallet Click here to read more. In this blog, we will discuss the steps required to create Self Signed Server and Client SSL Certificates in Oracle.   


Below are the high-level steps we will follow to create SSL certificates.

Root CA Part –
    Create a wallet for the Root Certificate Authority (CA)
    Add a self-signed certificate to the Root CA wallet
    Export the Root CA certificate


Server Certificate Part –
    Create an empty wallet with auto-login enabled
    Create new Key pair of private/public keys
    Export the Certificate Signature Request (CSR) to a file
    Sign the Server CSR with Root CA certificate
    Add the Root CA’s Trusted Certificate to the Server wallet
    Add the User Certificate to the Server wallet


Client Certificate Part –
    Create an empty wallet with auto-login enabled
    Create new Key pair of private/public keys
    Export the Certificate Signature Request (CSR) to a file
    Sign the Server CSR with Root CA certificate
    Add the Root CA’s Trusted Certificate to the Client wallet
    Add the User Certificate to the Client wallet


Root CA Part


Step 1. Create a wallet for the Root Certificate Authority (CA):

[oracle@test-machine01 ~]$
[oracle@test-machine01 ~]$ cd /u01
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ mkdir root
[oracle@test-machine01 u01]$ mkdir server
[oracle@test-machine01 u01]$ mkdir client

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet create -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -ltr root
total 4
-rw-------. 1 oracle oinstall   0 Jun  6 14:05 ewallet.p12.lck
-rw-------. 1 oracle oinstall 149 Jun  6 14:05 ewallet.p12
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet display -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
User Certificates:
Trusted Certificates:
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$


Step 2. Add a self-signed certificate to the Root CA wallet:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet add -wallet ./root -dn CN=root_test,C=IND -keysize 2048 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$  orapki wallet display -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
User Certificates:
Subject:        CN=root_test,C=IND
Trusted Certificates:
Subject:        CN=root_test,C=IND
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$


Step 3. Export the Root CA certificate:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet export -wallet ./root -dn CN=root_test,C=IND -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$


[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki cert display -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Subject:        CN=root_test,C=IND
Issuer:         CN=root_test,C=IND
Valid Until:    Thu Jun 03 14:08:14 AST 2032
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki cert display -cert ./root/CARoot_cert.txt -complete
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

{ fingerprint = 1b3dd9bfd9600112f8f4884688eec165, notBefore = Mon Jun 06 14:08:14 AST 2022, notAfter = Thu Jun 03 14:08:14 AST 2032, holder = CN=root_test,C=IND, issuer = CN=root_test,C=IND, serialNo = 4079697574780484414530897106893010121, sigAlgOID = SHA256withRSA, key = { modulus = 17552266264330691885805246917437579089384822013498567786369526906548543166742453474101841638637331262236391896133903788509559776004695226645876370301302299979012851870184962378539923926114749510225011344052851280923792311483086572465255927997644895985210927147801927597011222995428990259339049619995937954701529746590634463328279629093077989396757899738366613190524873966931833941299785393915464267637050198075119516606063567163647147383544889151434905130666858721854010987241832423676055565307670829985077894481599607220669736737398988518605102903689922707037943034593973850215825354867297227094696917363854375573561, exponent = 65537 } }
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -ltr root
total 8
-rw-------. 1 oracle oinstall    0 Jun  6 14:05 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 14:07 cwallet.sso.lck
-rw-------. 1 oracle oinstall 3848 Jun  6 14:08 ewallet.p12
-rw-------. 1 oracle oinstall 1024 Jun  6 15:19 CARoot_cert.txt
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$


Server Certificate Part


Step 1. Create an empty wallet with auto-login enabled:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet create -wallet ./server -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -l server
total 8
-rw-------. 1 oracle oinstall 194 Jun  6 15:40 cwallet.sso
-rw-------. 1 oracle oinstall   0 Jun  6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 149 Jun  6 15:40 ewallet.p12
-rw-------. 1 oracle oinstall   0 Jun  6 15:40 ewallet.p12.lck
[oracle@test-machine01 u01]$


Step 2. Create new Key pair of private/public keys:

[oracle@test-machine01 u01]$ orapki wallet add -wallet ./server -dn CN=server_test,C=IND -keysize 2048  
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=server_test,C=IND
User Certificates:
Trusted Certificates:
[oracle@test-machine01 u01]$


Step 3. Export the Certificate Signature Request (CSR) to a file:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet export -wallet ./server -dn CN=server_test,C=IND -request ./server/csreq.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@test-machine01 u01]$


[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -ltr server
total 12
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 15:44 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 15:44 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 15:46 csreq.txt
[oracle@test-machine01 u01]$


Step 4. Sign the Server CSR with Root CA certificate:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki cert create -wallet ./root -request ./server/csreq.txt -cert ./server/server_cert.txt -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$


[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -ltr server
total 16
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 15:44 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 15:44 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 15:46 csreq.txt
-rw-------. 1 oracle oinstall 1004 Jun  6 15:50 server_cert.txt
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki cert display -cert ./server/server_cert.txt -complete
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

{ fingerprint = fb831aa4311dc98a4382ab9a46dcf11c, notBefore = Mon Jun 06 15:50:37 AST 2022, notAfter = Thu Jun 03 15:50:37 AST 2032, holder = CN=server_test,C=IND, issuer = CN=root_test,C=IND, serialNo = 0, sigAlgOID = SHA256withRSA, key = { modulus = 16847008607975603405055575350829997368836005661349009602694893293119887705742134552842738360687573327151838219860950605676313865785043106331572487409896417394999793602105627344419902080406896033677552294845262742053028071454633444008492095245663623167428955312756056678098716661243405908542697911852709851521437761789355114567615799971872900080646568392639748793219860342513486215375466322106006073759487624555896886917210203815963047615317029601410489368163122113415460190736114636583353527873831137344229073865280082628955190492425031992242165986431678984042798971166840298921491925046836224047898887757467871363361, exponent = 65537 } }
[oracle@test-machine01 u01]$


Step 5. Add the Root CA’s Trusted Certificate to the Server wallet:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet add -wallet ./server -trusted_cert -cert  ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=server_test,C=IND
User Certificates:
Trusted Certificates:
Subject:        CN=root_test,C=IND
[oracle@test-machine01 u01]$


Step 6. Add the User Certificate to the Server wallet:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet add -wallet ./server -user_cert -cert ./server/server_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$  orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=server_test,C=IND
Trusted Certificates:
Subject:        CN=root_test,C=IND
[oracle@test-machine01 u01]$


Client Certificate Part


Step1. Create an empty wallet with auto-login enabled:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet create -wallet ./client -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -l client
total 16
-rw-------. 1 oracle oinstall 3885 Jun  6 16:31 cwallet.sso
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 3840 Jun  6 16:31 ewallet.p12
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 ewallet.p12.lck
[oracle@test-machine01 u01]$


Step 2. Create new Key pair of private/public keys:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet add -wallet ./client -dn CN=client_test,C=IND -keysize 2048
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$  orapki wallet display -wallet ./client
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=client_test,C=IND
User Certificates:
Trusted Certificates:
[oracle@test-machine01 u01]$


Step 3. Export the Certificate Signature Request (CSR) to a file:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet export -wallet ./client -dn CN=client_test,C=IND -request ./client/csreq.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -ltr client
total 12
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 16:28 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 16:28 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 16:29 csreq.txt
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$


Step 4. Sign the Client CSR with Root CA certificate:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki cert create -wallet ./root -request ./client/csreq.txt -cert ./client/client_cert.txt -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ ls -ltr client
total 16
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 16:28 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 16:28 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 16:29 csreq.txt
-rw-------. 1 oracle oinstall 1004 Jun  6 16:31 client_cert.txt
[oracle@test-machine01 u01]$


Step 5. Add the Root CA’s Trusted Certificate to the Client wallet:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet add -wallet ./client -trusted_cert -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$


Step 6. Add the User Certificate to the Client wallet:

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet add -wallet ./client -user_cert -cert ./client/client_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[oracle@test-machine01 u01]$

[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$ orapki wallet display -wallet ./client
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=client_test,C=IND
Trusted Certificates:
Subject:        CN=root_test,C=IND
[oracle@test-machine01 u01]$
[oracle@test-machine01 u01]$


This document is just for learning purposes and always validate in the LAB environment first before applying in the LIVE environment.


Hope so you like this article!
Please share your valuable feedback/comments/subscribe and follow us below and don’t forget to click on the bell icon to get the most recent update. Click here to understand more about our pursuit.

Related Articles

, , ,


Loading

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Jamsher Khan

Hello and welcome to DBsGuru,I’m Jamsher Khan working as Senior Oracle DBA based in KSA-Jeddah, I have working experience in Oracle DBA, SQL Server, MySql, PostgreSQL, Linux, Golden Gate, ODA.Thanks for the visits!Share Learn Grow!

Related Articles