Follow Us on Twitter

Oracle Wallet with intermediate certificates

by Ian Hoogeboom on September 30, 2009 · 4 comments

Solution Certificate chain

When creating an Wallet with the Oracle Wallet Manager to hold certificates to be used with SSL support in Oracle products for example, make sure you complete the certificate chain. Some confusion can occur when certificates are requested at an Intermediate CA (Certificate Authority). Most of the Oracle documentation assumes you will be signing directly with a Root CA.

I have created a step by step instruction of creating an Oracle Wallet with requesting and importing the certificate it with intermediate and root certificates.

Creating the Certificate Request

  • Open the Oracle Wallet Manager.
  • The first question is to refer to a default location. On Windows, the default document location is chosen for you.
  • Create a new Wallet, you must enter a password.
    After this, an ewallet.p12 file is created, with some pre-loaded certificates of large Certificate Authorities.
  • Save the Wallet in a secure location. This can be a central location where all the SSL components can access it. A Wallet can be shared, so only one Wallet per server for all Oracle products will do.
  • If you like, choose the ‘Auto Login’ option. This way you don’t need so supply the username/password every time you refer to the Wallet in configuration files.
    Now, a cwallet.sso file is created, which will be updated automatically when you change and save the Wallet.
  • Create a certificate request, fill in the information and store this in the Wallet. The standard Wallet type is the PKCS #12 format, in case you need this information somewhere.
  • Export the request and give it an obvious name and extension. If you have multiple servers, you want to keep them apart.
    The status of this user certificate will change to Requested.
  • Save the Wallet, it is important you have stored the request, because it must match the signed user certificate you will get from your CA. Otherwise you’ll need to create a new request again. As far as I know, you can not import a request in an empty Wallet!
  • Send the exported request to your Certificate Authority. Important: If you use this with Oracle IAS (web server), make sure the CA uses the Apache mod-ssl settings, not the Microsoft IIS ones!

Importing the certificates

The Certificate Authority will use this request to create a signed user certificate.

  • The CA will send you the signed user certificate, possibly together with some CA certificates or a link to their site.
    When the standard Oracle Wallet does not include the Root CA certificate of your CA or when the certificate is signed by an Intermediate CA, you need to get the right Root CA certificate and intermediate certificates to complete the certificate chain.
    The Root CA certificate and the intermediate certificates can usually be found on the CA’s website, otherwise, contact them.
  • Start the Wallet Manager and open the Wallet you want to complete with the certificates from the Certificate Authority.
  • You need to import the certificates in the correct order, to start with the Root CA certificate, followed by the intermediate certificates by choosing the ‘Import Trusted Certificate’ menu option in the Wallet Manager.
  • Now you can import the signed user certificate by choosing the ‘Import User Certificate’ menu option.
  • You now have added the certificates to the standard Wallet and if all went right, the Wallet status should change to Ready.
  • Save de Wallet and use it wisely.
Oracle Wallet with intermediate certificates, 5.0 out of 5 based on 1 rating
VN:D [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

{ 4 comments… read them below or add one }

DonnaBest July 31, 2013 at 4:16 pm

How do I export an Intermediate Certificate. When I export my certificate it tells me the options I’ve chosen is Full Path = No. and do I use a different file format than the Encrypted 64?


Guido Leenders October 28, 2013 at 12:00 pm

Thanks for these. I have written instructions for Windows platform, including fixing that Oracle Wallet removes security settings. The instructions are at


ashok shrestha October 13, 2014 at 8:53 pm

Hello Ian,
good information. I am confused, hope you can clear this out. Why do we need to import certificate or what is the use of certificate? I can use wallet and tde in oracle without certificate.



Natarajan August 11, 2016 at 7:47 pm

This is very useful article (for setting up TCPS/SSL DB connection), particularly the order of steps to be followed.
1. Create CSR on DB server/host.
2. Get Trusted certificate(root/CertChain) from CA and import ALL (first root, intermediary, 2nd Intermediary, etc) as Trusted certificate, one by one.
3. Get Identity (User) certificate from CA and import as User certificate

4. Import the Identify (User) certificate on Client side as Trusted Certificate(!)

thanks a bunch.


Leave a Comment


Previous post:

Next post:

About Whitehorses
Company profile

Whitehorses website

Home page

Follow us
Blog post RSS
Comment RSS