It's been long time posting blogs, spent many hours troubleshooting this issue and its "Time to Share"
Using this note you can accomplish many things
1) Remove any trusted cert's from Oracle Wallet/Keystore
2) Remove a certificate chain from UserCertificate
3) Display/List the certificates in wallet/keystore
4) Add certificates to wallet/keystore
5) Convert JKS to Wallet
6) Convert Wallet to JKS
7) orapki commands
8) keytool commands
9) Extract Private Key from Oracle Wallet
Ref:
Followed Oracle Notes Doc ID -- Note 2275107.1, 2405429.1
One of my trusted cert (intermediate) in the chain has expired. Following is the process I used to resolve the issue.
1)
Opened Oracle Wallet, tried deleting by right clicking on the certificate "Trusted certificate in use, deletion failed" Note 2275107.1
2) Convert Wallet to JKS
Tried deleting from command line
orapki wallet remove - wallet -trusted_cert -dn 'CN=inter2' -pwd password
PKI-04015: Trusted cert cannon be removed
3) Convert Wallet to JKS
a) To Display what all the certificates in wallet
$ orapki wallet display -wallet
b) Convert the wallet to JKS
orapki wallet pkcs12_to_jks -wallet -pwd wallet_pwd -jksKeyStoreloc /ewallet.jks -storepass
c) Find the Alias of the TrustCert using keytool:
keytool -list -v -keystore/ewallet.jks -jkspwd
Alias name:
d) Remove trusted certificate using the alias_name found above.
keytool -delete -alias 'alias_name' -keystore/ewallet.jks
e) Run the keytool list command to confirm that the alias_name for the Trusted Certificate is gone.
keytool -list -v -keystore/ewallet.jks
4) I Still saw the CertificateChain has the expired entries, googled and found a note
a) First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
b) Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
c) Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "newcert", at this point
openssl pkcs12 -export -in pemfile.pem -name newcert -out new.p12
d) Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
5) Convert JKS to Oracle Wallet
a) Create an empty wallet. This will create a Password Protected Wallet (ie. ewallet.p12 and cwallet.sso)
$MW_HOME/oracle_common/bin/orapki wallet create -wallet -auto_login
b) Display the wallet contents
orapki wallet display -wallet
c) Delete any trusted cert (if needed)
orapki wallet remove -wallet -trusted_cert_all -pwd
d) Convert JKS to a new Oracle Wallet
orapki wallet jks_to_pkcs12 -wallet -pwd -keystore /ewallet.jks -jkspwd jks_pwd
Some more important commands, not related to above issue
6) To Add a trusted Cert to JKS or Wallet
orapki wallet add -wallet -trusted_cert -cert newTrust.cer
keytool -import -file newTrust.cer -trustcacerts -alias newTrust -keystore ewallet.jks
7) Extracting Private Key from Oracle Wallet
$ openssl pkcs12 -in ewallet.p12 -nocerts -out private_key.pem
$ openssl rsa -in private_key.pem -out private.key
$ openssl rsa -in private_key.pem -check <= verify private key
Good Luck ...
Using this note you can accomplish many things
1) Remove any trusted cert's from Oracle Wallet/Keystore
2) Remove a certificate chain from UserCertificate
3) Display/List the certificates in wallet/keystore
4) Add certificates to wallet/keystore
5) Convert JKS to Wallet
6) Convert Wallet to JKS
7) orapki commands
8) keytool commands
9) Extract Private Key from Oracle Wallet
Ref:
Followed Oracle Notes Doc ID -- Note 2275107.1, 2405429.1
One of my trusted cert (intermediate) in the chain has expired. Following is the process I used to resolve the issue.
1)
Opened Oracle Wallet, tried deleting by right clicking on the certificate "Trusted certificate in use, deletion failed" Note 2275107.1
2) Convert Wallet to JKS
Tried deleting from command line
orapki wallet remove - wallet
PKI-04015: Trusted cert cannon be removed
3) Convert Wallet to JKS
a) To Display what all the certificates in wallet
$ orapki wallet display -wallet
b) Convert the wallet to JKS
orapki wallet pkcs12_to_jks -wallet
c) Find the Alias of the TrustCert using keytool:
keytool -list -v -keystore
Alias name:
d) Remove trusted certificate using the alias_name found above.
keytool -delete -alias 'alias_name' -keystore
e) Run the keytool list command to confirm that the alias_name for the Trusted Certificate is gone.
keytool -list -v -keystore
4) I Still saw the CertificateChain has the expired entries, googled and found a note
a) First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
b) Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
c) Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "newcert", at this point
openssl pkcs12 -export -in pemfile.pem -name newcert -out new.p12
d) Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
5) Convert JKS to Oracle Wallet
a) Create an empty wallet. This will create a Password Protected Wallet (ie. ewallet.p12 and cwallet.sso)
$MW_HOME/oracle_common/bin/orapki wallet create -wallet
b) Display the wallet contents
orapki wallet display -wallet
c) Delete any trusted cert (if needed)
orapki wallet remove -wallet
d) Convert JKS to a new Oracle Wallet
orapki wallet jks_to_pkcs12 -wallet
Some more important commands, not related to above issue
6) To Add a trusted Cert to JKS or Wallet
orapki wallet add -wallet
keytool -import -file newTrust.cer -trustcacerts -alias newTrust -keystore ewallet.jks
7) Extracting Private Key from Oracle Wallet
$ openssl pkcs12 -in ewallet.p12 -nocerts -out private_key.pem
$ openssl rsa -in private_key.pem -out private.key
$ openssl rsa -in private_key.pem -check <= verify private key
Good Luck ...
