Some notes about importing existing SSL certificates into Oracle#

Tue, 03 Sep 2002 17:08:07 +0000

Some notes about importing existing SSL certificates into Oracle Wallet Manager:

• Importing a site certificate as a trusted certificate will appear to work, but the Oracle HTTP Server (a.k.a. binary-only-Apache minus the perectly good modssl, plus modossl which is dumb, underdocumented and ... oh, never mind. That was an aside) won't actually work with it. Instead it will send you some corrupted mush which according to ethereal is a zero-length certificate.

• You can't import a site certificate as a user certificate, because it won't let you import certificates that it doesn't have CSRs for.

• You can't import your old CSR even if you have kept it, because it doesn't have the option for that either

• But the so-called wallets are in fact (fairly) standard PKCS#12 files, which can be created by OpenSSL: if you create a pkcs12 file using a third-party tool you just have to call it ewallet.12 (you can only point owm at directories, not actual filenames).

• You need to put the CA cert in the wallet as well as the site cert, otherwise it complains that your password is incorrect. The cry goes up: Yay Oracle error messages!

So in our particular case,

1. Download the Thawte CA cert from http://www.thawte.com/serverbasic.crt
2. Convert to PEM: openssl x509 -inform der -in ~/serverbasic.crt -outform pem -out thawte.crt.pem
3. Make a wallet: openssl pkcs12 -noiter -nodes -export -certfile ~/serverbasic.crt -inkey ../ssl.key/www.foo.com.key -in ../ssl.crt/www.foo.com.crt -name 'friendly name' -nodes -noiter -out /tmp/e1/ewallet.p12

Most of the time spent finding this out was actually in translating the "incorrect password" error message into "I can't load this wallet because it doesn't include the CA cert". Obvious in retrospect. Sure