Oracle 8i | Oracle 9i | Oracle 10g | Oracle 11g | Oracle 12c | Miscellaneous | PL/SQL | SQL | Oracle RAC | Oracle Apps | Linux

Creating Self-Signed SSL Certificates

keygen (Linux)

The keygen command allows you to generate certificate and key file pairs directly from the command line.

If they are not already installed, install the mod_ssl, openssl and crypto-utils packages.

# yum install mod_ssl openssl crypto-utils

The genkey command can generate a certificate request or a new self-signed certificate. The following command create a self-signed certificate for the specified machine.

# genkey --makeca rhce1.localdomain

The certificate and key file are created in the following locations respectively.

# ls /etc/pki/CA/
certs  crl  newcerts  private  rhce1.localdomain
# ls /etc/pki/CA/private/
rhce1.localdomain
#

keytool (Java)

The keytool utility is present as part of the Java Runtime Environment (JRE), either in the standalone JRE installation, or under the "jre" directory of the JDK installation.

The following commands creates a keystore containing a self-signed certificate.

$ mkdir ~/keystore
$ cd ~/keystore
$ export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64
$ $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \
   -storepass password1 -validity 360 -keysize 2048 -keypass password1

The utility asks you to provide information in the following format.

What is your first and last name?
  [Unknown]:  rhce1.localdomain
What is the name of your organizational unit?
  [Unknown]:  Example Department
What is the name of your organization?
  [Unknown]:  Example Company
What is the name of your City or Locality?
  [Unknown]:  Birmingham
What is the name of your State or Province?
  [Unknown]:  West Midlands
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=Tim Hall, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB correct?
  [no]:  yes

Enter key password for <selfsigned>
	(RETURN if same as keystore password):  
$

Alternatively, you can provide the answers directly on the command line.

$ $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \
   -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 360 -keysize 2048 -keypass password1

The following command checks the contents of the keystore.

$ $JAVA_HOME/jre/bin/keytool -list -v -keystore keystore.jks -storepass password1
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: selfsigned
Creation date: Feb 9, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=rhce1.localdomain, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB
Issuer: CN=rhce1.localdomain, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB
Serial number: 51165df7
Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014
Certificate fingerprints:
	 MD5:  DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF
	 SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD
	 Signature algorithm name: SHA1withRSA
	 Version: 3


*******************************************
*******************************************


$

orapki (Oracle)

The orapki utility makes handling certificates and Oracle wallets very simple.

Create a location for your wallet.

$ mkdir /home/oracle/wallet
$ cd /home/oracle/wallet

Add the location of the orapki utility to your path.

# WebLogic
$ export PATH=$PATH:$MW_HOME/oracle_common/bin

Or

# Database
$ export PATH=$PATH:$ORACLE_HOME/bin

Create a wallet to hold your certificate.

$ orapki wallet create -wallet ./ -pwd WalletPasswd123 -auto_login

Create a self-signed certificate and add it to your wallet.

$ orapki wallet add -wallet ./ -pwd WalletPasswd123 \
  -dn "CN=`hostname`, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB" \
  -keysize 1024 -self_signed -validity 365

You can check the contents of the wallet with the following command.

$ orapki wallet display -wallet ./ -pwd WalletPasswd123

Oracle PKI Tool : Version 11.1.1.5.0
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=rhce1.localdomain,OU=Example Department,O=Example Company,L=Birmingham,ST=West Midlands,C=GB
Trusted Certificates:
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=rhce1.localdomain,OU=Example Department,O=Example Company,L=Birmingham,ST=West Midlands,C=GB
$

You can read more about Oracle wallets and the orapki utility here.

Converting Between Keystores and Wallets (orapki)

Oracle Fusion Middleware can be quite confusing at times because different products handle their certificates in different ways. For example, managed servers use a JKS keystore, but the Oracle HTTP Server (OHS) requires an Oracle Wallet. Fortunately, the orapki utility allows you to convert between these two formats.

To import the contents of a JKS keystore into a existing wallet, use the following commands.

$ # Create a new wallet
$ orapki wallet create -wallet ./ -pwd WalletPasswd123 -auto_login

$ # Import the contents of the JKS keystore into the new wallet.
$ $MW_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd WalletPasswd123 \
    -keystore identity.jks -jkspwd password1

To create identity and trust keystores from a wallet, using the following command.

$ orapki wallet pkcs12_to_jks -wallet ./ -pwd WalletPasswd123 \
    -jksKeyStoreLoc ./identity.jks -jksKeyStorepwd password1 \
    -jksTrustStoreLoc ./trust.jks -jksTrustStorepwd password1

For more information see:

Hope this helps. Regards Tim...

Back to the Top.