Steps to create Self Signed Server and Client SSL Certificates in Oracle
In the previous blog, we discuss in detail about Oracle Wallet Click here to read more. In this blog, we will discuss the steps required to create Self Signed Server and Client SSL Certificates in Oracle.
Below are the high-level steps we will follow to create SSL certificates.
Root CA Part –
Create a wallet for the Root Certificate Authority (CA)
Add a self-signed certificate to the Root CA wallet
Export the Root CA certificate
Server Certificate Part –
Create an empty wallet with auto-login enabled
Create new Key pair of private/public keys
Export the Certificate Signature Request (CSR) to a file
Sign the Server CSR with Root CA certificate
Add the Root CA’s Trusted Certificate to the Server wallet
Add the User Certificate to the Server wallet
Client Certificate Part –
Create an empty wallet with auto-login enabled
Create new Key pair of private/public keys
Export the Certificate Signature Request (CSR) to a file
Sign the Server CSR with Root CA certificate
Add the Root CA’s Trusted Certificate to the Client wallet
Add the User Certificate to the Client wallet
Root CA Part
Step 1. Create a wallet for the Root Certificate Authority (CA):
[[email protected] ~]$
[[email protected] ~]$ cd /u01
[[email protected] u01]$
[[email protected] u01]$ mkdir root
[[email protected] u01]$ mkdir server
[[email protected] u01]$ mkdir client
[[email protected] u01]$
[[email protected] u01]$ orapki wallet create -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ ls -ltr root
total 4
-rw-------. 1 oracle oinstall 0 Jun 6 14:05 ewallet.p12.lck
-rw-------. 1 oracle oinstall 149 Jun 6 14:05 ewallet.p12
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Trusted Certificates:
[[email protected] u01]$
[[email protected] u01]$
Step 2. Add a self-signed certificate to the Root CA wallet:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./root -dn CN=root_test,C=IND -keysize 2048 -self_signed -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./root
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=root_test,C=IND
Trusted Certificates:
Subject: CN=root_test,C=IND
[[email protected] u01]$
[[email protected] u01]$
Step 3. Export the Root CA certificate:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet export -wallet ./root -dn CN=root_test,C=IND -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki cert display -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Subject: CN=root_test,C=IND
Issuer: CN=root_test,C=IND
Valid Until: Thu Jun 03 14:08:14 AST 2032
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki cert display -cert ./root/CARoot_cert.txt -complete
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
{ fingerprint = 1b3dd9bfd9600112f8f4884688eec165, notBefore = Mon Jun 06 14:08:14 AST 2022, notAfter = Thu Jun 03 14:08:14 AST 2032, holder = CN=root_test,C=IND, issuer = CN=root_test,C=IND, serialNo = 4079697574780484414530897106893010121, sigAlgOID = SHA256withRSA, key = { modulus = 17552266264330691885805246917437579089384822013498567786369526906548543166742453474101841638637331262236391896133903788509559776004695226645876370301302299979012851870184962378539923926114749510225011344052851280923792311483086572465255927997644895985210927147801927597011222995428990259339049619995937954701529746590634463328279629093077989396757899738366613190524873966931833941299785393915464267637050198075119516606063567163647147383544889151434905130666858721854010987241832423676055565307670829985077894481599607220669736737398988518605102903689922707037943034593973850215825354867297227094696917363854375573561, exponent = 65537 } }
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -ltr root
total 8
-rw-------. 1 oracle oinstall 0 Jun 6 14:05 ewallet.p12.lck
-rw-------. 1 oracle oinstall 0 Jun 6 14:07 cwallet.sso.lck
-rw-------. 1 oracle oinstall 3848 Jun 6 14:08 ewallet.p12
-rw-------. 1 oracle oinstall 1024 Jun 6 15:19 CARoot_cert.txt
[[email protected] u01]$
[[email protected] u01]$
Server Certificate Part
Step 1. Create an empty wallet with auto-login enabled:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet create -wallet ./server -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -l server
total 8
-rw-------. 1 oracle oinstall 194 Jun 6 15:40 cwallet.sso
-rw-------. 1 oracle oinstall 0 Jun 6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 149 Jun 6 15:40 ewallet.p12
-rw-------. 1 oracle oinstall 0 Jun 6 15:40 ewallet.p12.lck
[[email protected] u01]$
Step 2. Create new Key pair of private/public keys:
[[email protected] u01]$ orapki wallet add -wallet ./server -dn CN=server_test,C=IND -keysize 2048
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=server_test,C=IND
User Certificates:
Trusted Certificates:
[[email protected] u01]$
Step 3. Export the Certificate Signature Request (CSR) to a file:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet export -wallet ./server -dn CN=server_test,C=IND -request ./server/csreq.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -ltr server
total 12
-rw-------. 1 oracle oinstall 0 Jun 6 15:40 ewallet.p12.lck
-rw-------. 1 oracle oinstall 0 Jun 6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun 6 15:44 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun 6 15:44 cwallet.sso
-rw-------. 1 oracle oinstall 918 Jun 6 15:46 csreq.txt
[[email protected] u01]$
Step 4. Sign the Server CSR with Root CA certificate:
[[email protected] u01]$
[[email protected] u01]$ orapki cert create -wallet ./root -request ./server/csreq.txt -cert ./server/server_cert.txt -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -ltr server
total 16
-rw-------. 1 oracle oinstall 0 Jun 6 15:40 ewallet.p12.lck
-rw-------. 1 oracle oinstall 0 Jun 6 15:40 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun 6 15:44 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun 6 15:44 cwallet.sso
-rw-------. 1 oracle oinstall 918 Jun 6 15:46 csreq.txt
-rw-------. 1 oracle oinstall 1004 Jun 6 15:50 server_cert.txt
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki cert display -cert ./server/server_cert.txt -complete
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
{ fingerprint = fb831aa4311dc98a4382ab9a46dcf11c, notBefore = Mon Jun 06 15:50:37 AST 2022, notAfter = Thu Jun 03 15:50:37 AST 2032, holder = CN=server_test,C=IND, issuer = CN=root_test,C=IND, serialNo = 0, sigAlgOID = SHA256withRSA, key = { modulus = 16847008607975603405055575350829997368836005661349009602694893293119887705742134552842738360687573327151838219860950605676313865785043106331572487409896417394999793602105627344419902080406896033677552294845262742053028071454633444008492095245663623167428955312756056678098716661243405908542697911852709851521437761789355114567615799971872900080646568392639748793219860342513486215375466322106006073759487624555896886917210203815963047615317029601410489368163122113415460190736114636583353527873831137344229073865280082628955190492425031992242165986431678984042798971166840298921491925046836224047898887757467871363361, exponent = 65537 } }
[[email protected] u01]$
Step 5. Add the Root CA’s Trusted Certificate to the Server wallet:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./server -trusted_cert -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=server_test,C=IND
User Certificates:
Trusted Certificates:
Subject: CN=root_test,C=IND
[[email protected] u01]$
Step 6. Add the User Certificate to the Server wallet:
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./server -user_cert -cert ./server/server_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./server
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=server_test,C=IND
Trusted Certificates:
Subject: CN=root_test,C=IND
[[email protected] u01]$
Client Certificate Part
Step1. Create an empty wallet with auto-login enabled:
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet create -wallet ./client -auto_login
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter password:
Enter password again:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -l client
total 16
-rw-------. 1 oracle oinstall 3885 Jun 6 16:31 cwallet.sso
-rw-------. 1 oracle oinstall 0 Jun 6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 3840 Jun 6 16:31 ewallet.p12
-rw-------. 1 oracle oinstall 0 Jun 6 16:28 ewallet.p12.lck
[[email protected] u01]$
Step 2. Create new Key pair of private/public keys:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./client -dn CN=client_test,C=IND -keysize 2048
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./client
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
Subject: CN=client_test,C=IND
User Certificates:
Trusted Certificates:
[[email protected] u01]$
Step 3. Export the Certificate Signature Request (CSR) to a file:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet export -wallet ./client -dn CN=client_test,C=IND -request ./client/csreq.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ ls -ltr client
total 12
-rw-------. 1 oracle oinstall 0 Jun 6 16:28 ewallet.p12.lck
-rw-------. 1 oracle oinstall 0 Jun 6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun 6 16:28 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun 6 16:28 cwallet.sso
-rw-------. 1 oracle oinstall 918 Jun 6 16:29 csreq.txt
[[email protected] u01]$
[[email protected] u01]$
Step 4. Sign the Client CSR with Root CA certificate:
[[email protected] u01]$
[[email protected] u01]$ orapki cert create -wallet ./root -request ./client/csreq.txt -cert ./client/client_cert.txt -validity 3650
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$ ls -ltr client
total 16
-rw-------. 1 oracle oinstall 0 Jun 6 16:28 ewallet.p12.lck
-rw-------. 1 oracle oinstall 0 Jun 6 16:28 cwallet.sso.lck
-rw-------. 1 oracle oinstall 2216 Jun 6 16:28 ewallet.p12
-rw-------. 1 oracle oinstall 2261 Jun 6 16:28 cwallet.sso
-rw-------. 1 oracle oinstall 918 Jun 6 16:29 csreq.txt
-rw-------. 1 oracle oinstall 1004 Jun 6 16:31 client_cert.txt
[[email protected] u01]$
Step 5. Add the Root CA’s Trusted Certificate to the Client wallet:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./client -trusted_cert -cert ./root/CARoot_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
Step 6. Add the User Certificate to the Client wallet:
[[email protected] u01]$
[[email protected] u01]$ orapki wallet add -wallet ./client -user_cert -cert ./client/client_cert.txt
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Cannot modify auto-login (sso) wallet
Enter wallet password:
Operation is successfully completed.
[[email protected] u01]$
[[email protected] u01]$
[[email protected] u01]$ orapki wallet display -wallet ./client
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=client_test,C=IND
Trusted Certificates:
Subject: CN=root_test,C=IND
[[email protected] u01]$
[[email protected] u01]$
This document is just for learning purposes and always validate in the LAB environment first before applying in the LIVE environment.
Hope so you like this article!
Please share your valuable feedback/comments/subscribe and follow us below and don’t forget to click on the bell icon to get the most recent update. Click here to understand more about our pursuit.
Related Articles
- Oracle Critical Database Patch ID for April 2023 along with enabled Download Link
- Oracle Critical Database Patch ID for January 2023 along with enabled Download Link
- Steps to Apply Combo Patch (Oct 2022) on Clusterware in Two Node RAC in Oracle
- How to Enable PasswordLess SSH login in Linux
- Oracle Critical Database Patch ID for October 2022 along with enabled Download Link
Hello and welcome to DBsGuru,
I’m Jamsher Khan working as Senior Oracle DBA based in KSA-Jeddah, I have working experience in Oracle DBA, SQL Server, MySql, PostgreSQL, Linux, Golden Gate, ODA.
Thanks for the visits!
Share Learn Grow!
