Monday, December 08, 2014

Extract priv.key from Oracle Wallet and convert to Java keystore


Brief extract from an issue encountered recently when we renewed SSL Certificates.

Normal process we follow is use openssl -> Create CSR -> Get verisign cert -> Convert to Oracle Wallet -> Convert to keystore.

In Fusion Middleware 11g for creating Oracle Wallet from openssl we need to follow Oracle Note 184701.1. Because of a bug I was not able to see the wallet in OWM.  So the below new process is used 
create OWM Cert -> Get Verisign Cert -> Import into OWM -> Extract priv.key -> Convert to java keystore

Following are the brief steps
1) Generate CSR using OWM executable using "owm" binary from Fusion Middleware Home
2) Submit the CSR to Verisign and after you get the user certificate, import into OWM and select Auto Login and save
3) Use the ewallet.p12 cwallet.sso (From Step 2) in Fusion Middleware OHS,
4) From ewallet.p12 extract the priv.key
openssl pkcs12 -in /tmp/SSL_2014/oraclewallet_dir/ewallet.p12 -nocerts -out private_key.pem
The first password that openssl asks (Enter Import Password) is the wallet password, the other password (Enter PEM pass phrase) is used to protect the exported key.
openssl rsa -in private_key.pem -out priv.key
5) Use the SSL Cert and priv.key in Apache
6) Create Java Keystore from Oracle Wallet
export PATH=$PATH:$MW_HOME/oracle_common/bin/
orapki wallet pkcs12_to_jks -wallet ewallet.p12 -jksKeyStoreLoc ewallet.jks -jksKeyStorepwd -pwd
7) Use the JKS in Oracle Weblogic Server.

8) Which File and where it is used
ewallet.jks -- is Used in Oracle Weblogic Server.
ewallet.p12 and cwallet.sso    -- is used in Fusion Middleware OHS
server.crt and priv.key -- is used in Apache

9) Useful verification commands

Verify CSR
openssl req -in fsplifm1.csr -noout -text

Verify private.key
openssl rsa -in private.key -check

Verify Oracle Wallet
orapki wallet display -wallet oraclewallet_dir -pwd

Verify Java Keystore
keytool -list -keystore ewallet.jks -storepass



 Good Luck!