Friday, June 19, 2020

OHS 12.2.1.3 and SAN Cert for SSL Configuration

In the below post we will see how to use SAN cert on OHS 12.2.1.3. Please note SAN cert has been officially supported starting 12.2.1.3 so read the below note before implementation. 

Support Status for Wildcard, SNI and SAN SSL Certificates for Oracle HTTP Server and Web Cache 11g/12c (Doc ID 2225494.1)

First Create a Wallet with SAN 

PS C:\Oracle\OHS_Base\test_wallet> C:\Oracle\OHS_Base\oracle_common\jdk\jre\bin\keytool -genkey -alias test_ca_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=mypage.test.org,O=Oracle,L=Redwood,ST=Streed,C=US" -keypass RandomPass -keystore keystore.jks -storepass RandomPass -ext "SAN=dns:mypage.test.org,dns:mytest.test.org,dns:mytest1.test.org"

Generate a CSR for the mypage.test.org

PS C:\Oracle\OHS_Base\test_wallet> C:\Oracle\OHS_Base\oracle_common\jdk\jre\bin\keytool -certreq -v -alias test_ca_cert -file mypage_server.csr -sigalg SHA256withRSA -keypass RandomPass -storepass RandomPass -keystore keystore.jks -ext SAN=dns:mypage.test.org
Certification request stored in file <mypage_server.csr>
Submit this to your CA

PS C:\Oracle\OHS_Base\test_wallet> C:\Oracle\OHS_Base\oracle_common\jdk\jre\bin\keytool -list -v -keystore keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: test_ca_cert
Creation date: Jun 15, 1981
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=mypage.test.org, O=Oracle,L=Redwood,ST=Streed,C=US
Issuer: CN=mypage.test.org, O=Oracle,L=Redwood,ST=Streed,C=US

*******************************************
*******************************************


PS C:\Oracle\OHS_Base\test_wallet>

Send the CSR to CA and get the Certificate with the root/intermediate bundle.

Once received load the cert

PS C:\Oracle\OHS_Base\test_wallet> C:\Oracle\OHS_Base\oracle_common\jdk\jre\bin\keytool -import -v -noprompt -trustcacerts -alias root -file test_signed_cert/root.cer -keystore keystore.jks
Enter keystore password:
Certificate was added to keystore
[Storing keystore.jks]
PS C:\Oracle\OHS_Base\test_wallet> C:\Oracle\OHS_Base\oracle_common\jdk\jre\bin\keytool -import -v -noprompt -trustcacerts -alias intermediate -file test_signed_cert/intermediate.cer -keystore keystore.jks
Enter keystore password:
Certificate was added to keystore
[Storing keystore.jks]
PS C:\Oracle\OHS_Base\test_wallet> C:\Oracle\OHS_Base\oracle_common\jdk\jre\bin\keytool -import -v -noprompt -trustcacerts -alias test_ca_cert -file test_signed_cert/test_signed_cert.cer -keystore keystore.jks
Enter keystore password:
Certificate reply was installed in keystore
[Storing keystore.jks]
PS C:\Oracle\OHS_Base\test_wallet>


Converting to autologin

PS C:\Oracle\OHS_Base\test_wallet> set ORACLE_HOME=C:\Oracle\OHS_Base
PS C:\Oracle\OHS_Base\test_wallet> set WALLET_BASE=C:\Oracle\OHS_Base\test_wallet
PS C:\Oracle\OHS_Base\test_wallet> set PATH=$ORACLE_HOME/oracle_common/bin:$PATH
PS C:\Oracle\OHS_Base\test_wallet> set JAVA_HOME=C:\Oracle\Java\jdk1.8.0_171
PS C:\Oracle\OHS_Base\test_wallet> orapki wallet create -wallet C:\Oracle\OHS_Base\test_wallet -auto_login_local -pwd RandomPass
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

PS C:\Oracle\OHS_Base\test_wallet> orapki wallet jks_to_pkcs12 -wallet C:\Oracle\OHS_Base\test_wallet -pwd RandomPass -keystore keystore.jks -jkspwd RandomPass
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

PS C:\Oracle\OHS_Base\test_wallet> orapki wallet display -wallet C:\Oracle\OHS_Base\test_wallet
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=mypage.test.org
Trusted Certificates:
Subject:        CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Subject:        CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

PS C:\Oracle\OHS_Base\test_wallet>

Now use this wallet and load into the SSL.conf file , restart OHS

https://mypage.test.org:4443 -- should work fine. 😊

Popular Posts