When creating an Wallet with the Oracle Wallet Manager to hold certificates to be used with SSL support in Oracle products for example, make sure you complete the certificate chain. Some confusion can occur when certificates are requested at an Intermediate CA (Certificate Authority). Most of the Oracle documentation assumes you will be signing directly with a Root CA.
I have created a step by step instruction of creating an Oracle Wallet with requesting and importing the certificate it with intermediate and root certificates.
Creating the Certificate Request
- Open the Oracle Wallet Manager.
- The first question is to refer to a default location. On Windows, the default document location is chosen for you.
- Create a new Wallet, you must enter a password.
After this, an ewallet.p12 file is created, with some pre-loaded certificates of large Certificate Authorities.
- Save the Wallet in a secure location. This can be a central location where all the SSL components can access it. A Wallet can be shared, so only one Wallet per server for all Oracle products will do.
- If you like, choose the ‘Auto Login’ option. This way you don’t need so supply the username/password every time you refer to the Wallet in configuration files.
Now, a cwallet.sso file is created, which will be updated automatically when you change and save the Wallet.
- Create a certificate request, fill in the information and store this in the Wallet. The standard Wallet type is the PKCS #12 format, in case you need this information somewhere.
- Export the request and give it an obvious name and extension. If you have multiple servers, you want to keep them apart.
The status of this user certificate will change to Requested.
- Save the Wallet, it is important you have stored the request, because it must match the signed user certificate you will get from your CA. Otherwise you’ll need to create a new request again. As far as I know, you can not import a request in an empty Wallet!
- Send the exported request to your Certificate Authority. Important: If you use this with Oracle IAS (web server), make sure the CA uses the Apache mod-ssl settings, not the Microsoft IIS ones!
Importing the certificates
The Certificate Authority will use this request to create a signed user certificate.
- The CA will send you the signed user certificate, possibly together with some CA certificates or a link to their site.
When the standard Oracle Wallet does not include the Root CA certificate of your CA or when the certificate is signed by an Intermediate CA, you need to get the right Root CA certificate and intermediate certificates to complete the certificate chain.
The Root CA certificate and the intermediate certificates can usually be found on the CA’s website, otherwise, contact them.
- Start the Wallet Manager and open the Wallet you want to complete with the certificates from the Certificate Authority.
- You need to import the certificates in the correct order, to start with the Root CA certificate, followed by the intermediate certificates by choosing the ‘Import Trusted Certificate’ menu option in the Wallet Manager.
- Now you can import the signed user certificate by choosing the ‘Import User Certificate’ menu option.
- You now have added the certificates to the standard Wallet and if all went right, the Wallet status should change to Ready.
- Save de Wallet and use it wisely.