Some notes about importing existing SSL certificates into Oracle#

Thu Aug 28 23:32:39 2025

date: Tue, 3 Sep 2002 17:8:7 +0000

Some notes about importing existing SSL certificates into Oracle Wallet Manager:

• Importing a site certificate as a trusted certificate will appear to work, but the Oracle HTTP Server (a.k.a. binary-only-Apache minus the perectly good mod_ssl, plus mod_ossl which is dumb, underdocumented and ... oh, never mind. That was an aside) won't actually work with it. Instead it will send you some corrupted mush which according to ethereal is a zero-length certificate.

• You can't import a site certificate as a user certificate, because it won't let you import certificates that it doesn't have CSRs for.

• You can't import your old CSR even if you have kept it, because it doesn't have the option for that either

• But the so-called wallets are in fact (fairly) standard PKCS#12 files, which can be created by OpenSSL: if you create a pkcs12 file using a third-party tool you just have to call it ewallet.12 (you can only point owm at directories, not actual filenames).

• You need to put the CA cert in the wallet as well as the site cert, otherwise it complains that your password is incorrect. The cry goes up: Yay Oracle error messages!

So in our particular case,

1. Download the Thawte CA cert from http://www.thawte.com/serverbasic.crt
2. Convert to PEM: openssl x509 inform der in ~/serverbasic.crt outform pem out thawte.crt.pem
3. Make a wallet: openssl pkcs12 noiter nodes export certfile ~/serverbasic.crt inkey ../ssl.key/www.foo.com.key in ../ssl.crt/www.foo.com.crt name 'friendly name' nodes noiter out /tmp/e1/ewallet.p12

Most of the time spent finding this out was actually in translating the "incorrect password" error message into "I can't load this wallet because it doesn't include the CA cert". Obvious in retrospect. Sure