You are on page 1of 2

CREATE CSR AND SSL CERTIFICATES USING WALLETS

The first step is to create a wallet and then a CSR (the request we need to submit to the
certification authority to generate our SSL certificate)

Make sure we have set the environment variables for ORACLE_HOME

1. Create a new directory to store the wallet

Create a directory for wallet

2.$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet <wallet-path> -


auto_login_only
3. Create CSR (certificate request), we pass the DN for the certificate, usually your site
name and the company

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet <wallet-path> -dn


'CN=<your-site-name>,OU=IT,O=ACME,L=Atlanta,ST=GA,C=USA' -keysize 2048 -
auto_login_only

4. Export CSR, now that we have created the CSR, we need to export it to a file we can
send to the certification Authority. The following command will create a file server.csr
containing the CSR

$ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet <wallet-path> -dn


'CN=ora-middleware.blogspot.com,OU=IT,O=ACME,L=Atlanta,ST=GA,C=USA' -request
<wallet-path>/server.csr

5. Now, we will need to request a certification authority using the generated file for a SSL
certificate, they will send us the certificate as well as the root and intermediate certificates
required,

6. Once the cert authority creates the certificate, we will need to first import root certificate,
sometimes they will give it to us as part of the bundle, we need all 3 certificates in the SSL
chain.

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet <wallet-path> -


trusted_cert -cert <wallet-path>/root.crt -auto_login_only

7. Now import any other certificate in the chain, I got this one as part of the bundle they
sent me

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet <wallet-path> -


trusted_cert -cert <wallet-path>/intermediate.crt -auto_login_only
8. Finally, import the user cert itself

$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet <wallet-path> -


user_cert -cert <wallet-path>/usercertficate.crt -auto_login_only

9. We can validate that the certificates have been imported using the following command.

$ORACLE_HOME/oracle_common/bin/orapki wallet display -


wallet /u01/oracle/certs

CONFIGURE OHS for SSL


Now that we have a wallet, we need to tell OHS to use it, by default, 12c has already a
virtual host configured for SSL, so we only have to update it and specify the new wallet.

1. Edit the ssl.conf file under the configuration folder for the instance. Please check path
where the ssl is placed

vi $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs2/ssl.conf

Set the SSLWallet directive to the directory where we saved the wallet

SSLWallet <wallet_path>

2. Stop OHS

$DOMAIN_HOME/bin/stopComponent.sh ohs1

3. Start OHS

$DOMAIN_HOME/bin/stopComponent.sh ohs1

4. We can test the configuration on the default SSL port for OHS 4443 but please check the
virtual host for whether it is configured with 4443 or 443

https://hostname:4443