Steps to create Self Signed Server and Client SSL Certificates in Oracle

Steps to create Self Signed Server and Client SSL Certificates in Oracle

In the previous blog, we discuss in detail about Oracle Wallet Click here to read more. In this blog, we will discuss the steps required to create Self Signed Server and Client SSL Certificates in Oracle.   


Below are the high-level steps we will follow to create SSL certificates.

Root CA Part –
    Create a wallet for the Root Certificate Authority (CA)
    Add a self-signed certificate to the Root CA wallet
    Export the Root CA certificate


Server Certificate Part –

    Create an empty wallet with auto-login enabled
    Create new Key pair of private/public keys
    Export the Certificate Signature Request (CSR) to a file
    Sign the Server CSR with Root CA certificate
    Add the Root CA’s Trusted Certificate to the Server wallet
    Add the User Certificate to the Server wallet


Client Certificate Part –

    Create an empty wallet with auto-login enabled
    Create new Key pair of private/public keys
    Export the Certificate Signature Request (CSR) to a file
    Sign the Server CSR with Root CA certificate
    Add the Root CA’s Trusted Certificate to the Client wallet
    Add the User Certificate to the Client wallet


Root CA Part


Step 1. Create a wallet for the Root Certificate Authority (CA):

[[email protected] ~]$
[[email protected] ~]$ cd /u01
[[email protected] u01]$
[[email protected] u01]$ mkdir root
[[email protected] u01]$ mkdir server
[[email protected] u01]$ mkdir client

[[email protected] u01]$
[[email protected] u01]$ orapki wallet create -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ ls -ltr root
total 4
-rw-------. 1 oracle oinstall   0 Jun  6 14:05 ewallet.p12.lck
-rw-------. 1 oracle oinstall 149 Jun  6 14:05 ewallet.p12
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
User Certificates:
Trusted Certificates:
[[email protected] u01]$
[[email protected] u01]$


Step 2. Add a self-signed certificate to the Root CA wallet:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./root -dn CN=root_test,C=IND -keysize 2048 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$  orapki wallet display -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Requested Certificates:
User Certificates:
Subject:        CN=root_test,C=IND
Trusted Certificates:
Subject:        CN=root_test,C=IND
[[email protected] u01]$
[[email protected] u01]$


Step 3. Export the Root CA certificate:

[o[email protected] u01]$
[[email protected] u01]$ orapki wallet export -wallet ./root -dn CN=root_test,C=IND -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$


[[email protected] u01]$
[[email protected] u01]$ orapki cert display -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Subject:        CN=root_test,C=IND
Issuer:         CN=root_test,C=IND
Valid Until:    Thu Jun 03 14:08:14 AST 2032
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ orapki cert display -cert ./root/CARoot_cert.txt -complete
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

{ fingerprint = 1b3dd9bfd9600112f8f4884688eec165, notBefore = Mon Jun 06 14:08:14 AST 2022, notAfter = Thu Jun 03 14:08:14 AST 2032, holder = CN=root_test,C=IND, issuer = CN=root_test,C=IND, serialNo = 4079697574780484414530897106893010121, sigAlgOID = SHA256withRSA, key = { modulus = 17552266264330691885805246917437579089384822013498567786369526906548543166742453474101841638637331262236391896133903788509559776004695226645876370301302299979012851870184962378539923926114749510225011344052851280923792311483086572465255927997644895985210927147801927597011222995428990259339049619995937954701529746590634463328279629093077989396757899738366613190524873966931833941299785393915464267637050198075119516606063567163647147383544889151434905130666858721854010987241832423676055565307670829985077894481599607220669736737398988518605102903689922707037943034593973850215825354867297227094696917363854375573561, exponent = 65537 } }
[[email protected] u01]$
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ ls -ltr root
total 8
-rw-------. 1 oracle oinstall    0 Jun  6 14:05 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 14:07 cwallet.sso.lck
-rw-------. 1 oracle oinstall 3848 Jun  6 14:08 ewallet.p12
-rw-------. 1 oracle oinstall 1024 Jun  6 15:19 CARoot_cert.txt
[[email protected] u01]$
[[email protected] u01]$


Server Certificate Part


Step 1. Create an empty wallet with auto-login enabled:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet create -wallet ./server -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ ls -l server
total 8
-rw-------. 1 oracle oinstall 194 Jun  6 15:40 cwallet.sso
-rw-------. 1 oracle oinstall   0 Jun  6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 149 Jun  6 15:40 ewallet.p12
-rw-------. 1 oracle oinstall   0 Jun  6 15:40 ewallet.p12.lck
[[email protected] u01]$


Step 2. Create new Key pair of private/public keys:

[[email protected] u01]$ orapki wallet add -wallet ./server -dn CN=server_test,C=IND -keysize 2048  
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=server_test,C=IND
User Certificates:
Trusted Certificates:
[[email protected] u01]$


Step 3. Export the Certificate Signature Request (CSR) to a file:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet export -wallet ./server -dn CN=server_test,C=IND -request ./server/csreq.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[[email protected] u01]$


[[email protected] u01]$
[[email protected] u01]$ ls -ltr server
total 12
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 15:44 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 15:44 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 15:46 csreq.txt
[[email protected] u01]$


Step 4. Sign the Server CSR with Root CA certificate:

[[email protected] u01]$
[[email protected] u01]$ orapki cert create -wallet ./root -request ./server/csreq.txt -cert ./server/server_cert.txt -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$


[[email protected] u01]$
[[email protected] u01]$ ls -ltr server
total 16
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 15:44 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 15:44 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 15:46 csreq.txt
-rw-------. 1 oracle oinstall 1004 Jun  6 15:50 server_cert.txt
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ orapki cert display -cert ./server/server_cert.txt -complete
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

{ fingerprint = fb831aa4311dc98a4382ab9a46dcf11c, notBefore = Mon Jun 06 15:50:37 AST 2022, notAfter = Thu Jun 03 15:50:37 AST 2032, holder = CN=server_test,C=IND, issuer = CN=root_test,C=IND, serialNo = 0, sigAlgOID = SHA256withRSA, key = { modulus = 16847008607975603405055575350829997368836005661349009602694893293119887705742134552842738360687573327151838219860950605676313865785043106331572487409896417394999793602105627344419902080406896033677552294845262742053028071454633444008492095245663623167428955312756056678098716661243405908542697911852709851521437761789355114567615799971872900080646568392639748793219860342513486215375466322106006073759487624555896886917210203815963047615317029601410489368163122113415460190736114636583353527873831137344229073865280082628955190492425031992242165986431678984042798971166840298921491925046836224047898887757467871363361, exponent = 65537 } }
[[email protected] u01]$


Step 5. Add the Root CA’s Trusted Certificate to the Server wallet:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./server -trusted_cert -cert  ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=server_test,C=IND
User Certificates:
Trusted Certificates:
Subject:        CN=root_test,C=IND
[[email protected] u01]$


Step 6. Add the User Certificate to the Server wallet:

[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./server -user_cert -cert ./server/server_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$  orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=server_test,C=IND
Trusted Certificates:
Subject:        CN=root_test,C=IND
[[email protected] u01]$


Client Certificate Part


Step1. Create an empty wallet with auto-login enabled:

[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet create -wallet ./client -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter password:
Enter password again:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -l client
total 16
-rw-------. 1 oracle oinstall 3885 Jun  6 16:31 cwallet.sso
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 3840 Jun  6 16:31 ewallet.p12
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 ewallet.p12.lck
[[email protected] u01]$


Step 2. Create new Key pair of private/public keys:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./client -dn CN=client_test,C=IND -keysize 2048
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$  orapki wallet display -wallet ./client
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=client_test,C=IND
User Certificates:
Trusted Certificates:
[[email protected] u01]$


Step 3. Export the Certificate Signature Request (CSR) to a file:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet export -wallet ./client -dn CN=client_test,C=IND -request ./client/csreq.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -ltr client
total 12
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 16:28 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 16:28 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 16:29 csreq.txt
[[email protected] u01]$
[[email protected] u01]$


Step 4. Sign the Client CSR with Root CA certificate:

[[email protected] u01]$
[[email protected] u01]$ orapki cert create -wallet ./root -request ./client/csreq.txt -cert ./client/client_cert.txt -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ ls -ltr client
total 16
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 ewallet.p12.lck
-rw-------. 1 oracle oinstall    0 Jun  6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun  6 16:28 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun  6 16:28 cwallet.sso
-rw-------. 1 oracle oinstall  918 Jun  6 16:29 csreq.txt
-rw-------. 1 oracle oinstall 1004 Jun  6 16:31 client_cert.txt
[[email protected] u01]$


Step 5. Add the Root CA’s Trusted Certificate to the Client wallet:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./client -trusted_cert -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$


Step 6. Add the User Certificate to the Client wallet:

[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./client -user_cert -cert ./client/client_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$

[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./client
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=client_test,C=IND
Trusted Certificates:
Subject:        CN=root_test,C=IND
[[email protected] u01]$
[[email protected] u01]$


This document is just for learning purposes and always validate in the LAB environment first before applying in the LIVE environment.


Hope so you like this article
!
Please share your valuable feedback/comments/subscribe and follow us below and don’t forget to click on the bell icon to get the most recent update. 
Click here to understand more about our pursuit.

Related Articles


How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *