Converting an SSL certificate into an Oracle Wallet

This document describes how to convert an SSL certificate from a vendor such as Verisign, IPSCA, GlobalSign, &c. into an Oracle Wallet.

Oracle Application Server 10.1.x is based on a slightly modified version of Apache 1.3. For SSL communications, it stores its certificates in something called an "Oracle Wallet". The wallet is actually just a certificate and its CA certificate chain stored in PKCS#12 format. CSRs can be generated and certificates stored into the wallet using the Oracle Wallet Manager program; however, it is also possible to convert an existing certificate so that it is recognized by the Oracle software as an Oracle Wallet.

The conversion process is described below:

  1. Obtain the following files in PEM format: the server's certificate, the CA certificate and intermediate certificates (these must be concatenated into a single file), the server's encrypted private key.
  2. Obtain the password for the server's encrypted private key.

  3. On a server with openssl installed, issue the command openssl pkcs12 -export -in certfile -inkey keyfile -certfile cacertfile -out ewallet.p12, replacing certfile, keyfile, and cacertfile with the filenames of certificate file, the private key file, and the CA certificate chain file, respectively.

    1. Enter the private key's passphrase when prompted for it.
    2. Enter an export password when prompted for it. You MUST supply a non-blank password; you may make one up. You will need to type it again as verification.

    3. The resulting file MUST be named ewallet.p12 in order for Oracle to recognize it as a wallet.

  4. Upload the ewallet.p12 file to the Oracle Application Server. Move it to where the oracle O/S user can access it.

  5. Start the Oracle Wallet Manager application (this is an X-Windows application on Unix/Linux systems; type owm to start the app).

  6. Under the Wallet menu, click "Open".
    1. You will likely receive an error message about the default wallet directory not existing, and asking you if you want to continue. Click Yes.
    2. You will be asked to select the directory where the wallet file is located.
    3. You will be asked for the wallet password. Enter the export password you entered when converting the certificate.
    4. The wallet should open, and the certificate should be displayed with a status of "Ready". You should also see the CA certificate under "Trusted Certificates".
  7. Under the Wallet menu, select "Auto Login". Verify that it was selected by viewing the Wallet menu again; the Auto Login box should now have a check mark.
  8. Under the Wallet menu, select "Exit" to quit the Oracle Wallet Manager application.

You now have two files that comprise the wallet: ewallet.p12 and cwallet.sso. These files MUST reside in the same directory. You may now configure the Oracle Application Server software to reference these files.

TSSHowTo