How to install a renewed SSL Certificate in Oracle Wallet

The definitive guide to install SSL certificates in Oracle Wallet Manager.


Installing SSL certificates is a pretty straightforward task, you just need to download your new signed certificates from the Certification Authority (CA) and install them on your web server of choice ... except if your web server is an Oracle web server that uses something called "Oracle Wallet" to manage them...

Don't panic, this guide will provide you all the necessary steps to install them using operating plain system commands (there's no need for another painful Oracle GUI).

Remember: A wallet is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.

Oracle provides the orapki utility as command line tool to create and manage all Oracle Wallets since Oracle 10g onwards.

Basically, you will need these elements:

With all these elements available, we are ready to dive into this task. Super cool!

14 Steps to SUCCESS

1. Extract the private key from your current wallet

openssl pkcs12 -in ewallet.p12 -passin pass:(wallet password) -out ewallet.txt -nodes

The resulting "ewallet.txt" is a file that contains the unencrypted private key, the certificate and all the Root CA certificates in the wallet. Then the relevant information for the key, and certificate(s) can be copied to separate files to create the individual key and certificate(s).

2. Setup environment variables

export JAVA_HOME=/opt/jdk1.7.0_71
export PATH=$JAVA_HOME/bin:$PATH

Setup your Java runtime accordingly. In this example, we are using JDK 1.7 located in /opt folder.

3. Create a new wallet location

mkdir -p $(LOCATION)/keystores/2019
cd $(LOCATION)/keystores/2019

4. Create a temporary OpenSSL Wallet

Extract the private key from "ewallet.txt" and put it into the "privkey.crt" file.

Put the renewed intermediate certificates all together into the "bundle.crt" file.

Put the renewed SSL certificate into the "certificate.crt" file.

Now, let's create an OpenSSL wallet named "ewallet-ossl.p12":

openssl pkcs12 -export -in certificate.crt -inkey privkey.crt -certfile bundle.crt -out ewallet-ossl.p12

5. Export the OpenSSL wallet to a JKS Wallet type

We need to export the current OpenSSL wallet contents to a JKS wallet named "ewallet.jks"

$ORACLE_HOME/oracle_common/bin/orapki wallet pkcs12_to_jks -wallet ./ewallet-ossl.p12 -jksKeyStoreLoc ./ewallet.jks -jksKeyStorepwd (password)

6. Create a definite OpenSSL Wallet

Oracle web servers need an "auto login" wallet, this feature is propietary. Let's create it using the "orapki" utility:

$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login

7. Verify Wallet contents

By default, this process creates a new wallet and populates it with default certificates.

$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./

8. Remove all default certificates

There's no need to have these certificates, let's remove them all from our wallet:

$ORACLE_HOME/oracle_common/bin/orapki wallet remove -trusted_cert_all -wallet ./

9. Verify that your wallet is empty

Let's verify the wallet contents again:

$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./

10. Import JKS content

Import the exported JKS content into our new wallet:

ORACLE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd (password) -keystore ewallet.jks -jkspwd (password)

11. Validiting the new content

At this stage, all the renewed certificates should be displayed as our wallet content:

$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./

13. Update Oracle Web Server SSL configuration file

Now, we are ready to update our wallet location in SSLWallet directive

14. Restart the OHS web server

Restart the OHS web server, enter any given URL that points back to your web server and verify that the new SSL certificate is being served as expected.

Photo of a kitten looking menacing.

And that's all folks!

Need help? Don't hesitate and reach out to me!
There are a number of ways we can work together and I look forward to exploring the possibilities with you.

Enrique Garibay

"Daniel was quick, efficient and thorough with his work. Thanks!"


"Daniel did a great job and plan to use him again"