Import OpenSSL Generated Private Key into Oracle Wallet - oracle

I have a private key that was created from an OpenSSL certificate signing request. The CA has accepted the CSR and given my the cert. When I try importing into my Oracle Wallet using orapki I get the error "No matching private key in the wallet". When I try importing the private key just as I would any user cert I get "Invalid Certificate". I've already added all the trusted certificates.
Here are the commands used:
orapki wallet add -wallet ewallet.p12 -user_cert -cert public.p12
orapki wallet add -wallet ewallet.p12 -user_cert -cert private.txt
I'm assuming there's a way to add the private key to the wallet?

you cannot import a KEY.
The Key is part of the wallet already, you need to create the certificate request with ORAPKI, as the key will be part of the request.
You cannot create a certificate using a request from other wallet, and then try to install everything into a new wallet that already has a Key.

You can create an orapki wallet from an openssl keystore as another method to bring in the private key.
orapki wallet create -wallet /path/to/wallet/wallet.p12 -auto_login [-pwd <password>

You can try the following syntax
orapki wallet import_pkcs12
–wallet wallet_location [-pwd wallet_password]
-pkcs12file pkcs12_file_location [-pkcs12pwd pkcs12_file_password]

Related

YubiHSM Code-signing exporting certificate

I followed the tutorial for generating a code-signing certificate using the YubiHSM Key Storage provider available here. After creating the Certificate Signing Request (CSR) with certreq -new sign.inf sign.req a new asymmetric key is created in the YubiHSM together with an association between this key and the certificate in the YubiHSM Key Storage Provider (KSP). After that, I am able to sign my binaries using something like signtool sign /sha1 <certificate hash> <binary name>.
However, when I export this certificate and import it to a different machine the certificate does not have an associated private key. Typing certutil -repairstore my <certificate hash> does not help. As far as I understand, the KSP only stores a link to the YubiHSM, not the actual private key itself. So I suppose I need to somehow create this association in the KSP.
I finally managed to solve the issue as follows:
After installing and configuring the YubiHSM KSP, install your exported certificate. After installing the certificate check its validity with:
certutil -verifystore my <certificate hash>
If you still cannot see the installed certificate try adding it manually using:
certutil -addstore -f "My" "MyCertificate.cer"
Once you can find the imported certificate, you need to manually bind the certificate to the private key. This is because the key is not stored with the certificate and Windows doesn’t automatically create an association between the two.
certutil -repairstore my <certificate hash>
Now you should be able to see the correct key label in the Key Container field using the certutil -verifystore command.
After that you should be able to start signing your binaries with signtool. However, I had to add the /sm flag to make it work.
signtool sign /sm /a /n "<CertificateName>" /fd sha256 path-to-binary-to-sign.exe

Get private key from Heroku

I was trying to update my certificate but I'm having issues. I issued
heroku certs:add server.crt server.key
but this command is giving me the error
No key found that signs the certificate.
I've tried to add the key from my previous certificate, but I got the same error. I unfortunately lost my private key while trying to get a certificate with GoDaddy.

OSX 10.10 import .pfx without a password?

I am attempting to import a .pfx certificate on a MacBookPro with 10.10. As I import the cert I am prompted to enter a password for the cert. I created the cert and I know there is no password. I cannot leave the password field blank as it results in an "Sorry, you entered an invalid password." error. Is there a way to import a .pfx certificate that is not encypted with a password?
Assuming you don't need to import the private key, you can extract the certificate from the pfx file on a machine with openssl installed using the command below.
openssl pkcs12 -in [inputFile.pfx] -nokeys -out [outputFile.cer]
If you need to import the private key to OSX, or don't have a machine with openssl, you could try importing the pfx in Windows & exporting either just the cert to a cer file or the cert & key to a new pfx with a password.
I'm not sure how you wound up with a pfx that has no password in the first place, because they contain the associated private key a password is typically required.

Creating Oracle Wallet from existing PKCS#12 keystore

I have an .p12 keystore file issued by the provider of a webservice that I'd like to communicate with (SOAP) through a PL/SQL procedure from an Oracle 11g2 database.
A wallet was created with:
$ orapki wallet create –wallet [walletdirectory] -pwd [password] -auto_login
And the resulting 'ewallet.p12'-file was subsequently replaced with the (renamed to 'ewallet.p12') keystore file.
However, the SOAP-requests cannot be authorised. The log of the service provider shows (full log not available to me):
Error log Apache httpd
[<timestamp>] [error] [client <IP>] access to <URL> failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
ACL-settings have been thoroughly audited. I am now exploring the possibility that the Oracle Wallet has not been set up properly (because perhaps simply replacing the keystore files is not possible). I cannot extract the private key from the supplied .p12 to add to the newly generated 'ewallet.p12'.
Thus I would like to use the Oracle Wallet Manager to create the Wallet. Some problems I've encountered.
I can not open the supplied .p12 file as a wallet in OWM
Renaming the supplied keystore to 'ewallet.p12' allows me to open the wallet in OWM, but upon entering the keystore password, displays "incorrect password"
Condensed question is: How do I create an Oracle Wallet from an already existing PKCS#12 file? Either as a complete product or by generating the required .SSO-file? Any other advice as to what might be the cause of this problem?
Note: using SOAPUI, I'am able to successfully communicate with the webservice using the supplied keystore.
The webservice was unable to be authorized because the cwallet.sso file was not correct in the Oracle Wallet. The complete procedure to generate a correct Oracle Wallet from an existing PKCS#12 Keystore is:
$ orapki wallet create -wallet /path/to/wallet -auto_login
Where the [path/to/wallet] targets an existing directory that already includes the PKCS#12 Keystore. This generates the correct cwallet.sso file. The certificates included in the keystore can now be shown with:
$ orapki wallet display -wallet /path/to/wallet
And the Oracle Wallet can now be associated with an ACL:
SQLPlus: EXEC DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('[acl_file.xml]','file:/path/to/wallet');
However, for reasons unknown to me, an Oracle Wallet created in this fashion cannot be opened using the Oracle Wallet Manager tool.

Non GUI access to Oracle Wallet Manager

I need to import some certificates to an Oracle Wallet, but can't run a GUI on the host system. Is there a CLI alternative?
Use the orapki utility.
orapki wallet create -wallet /private/user/orapki_use/server -auto_login
orapki wallet add -wallet /private/user/orapki_use/server -trusted_cert -cert /private/user/orapki_use/root/b64certificate.txt

Resources