Non GUI access to Oracle Wallet Manager - oracle

I need to import some certificates to an Oracle Wallet, but can't run a GUI on the host system. Is there a CLI alternative?

Use the orapki utility.
orapki wallet create -wallet /private/user/orapki_use/server -auto_login
orapki wallet add -wallet /private/user/orapki_use/server -trusted_cert -cert /private/user/orapki_use/root/b64certificate.txt

Related

Windows 10 pro importing certificate through command line create a duplicate store

I am trying to import a certificate into my "Local computer" account under "Personal" certificate store.
Though when running one of the below 2 commands, the certificate is imported into a new certificate store called also Personal.
First command:
Import-Certificate -FilePath "C:\Users\myUser\Desktop\LabCert.cer" -CertStoreLocation 'Cert:\LocalMachine\Personal' -Verbose
Second command:
CertUtil -v -addstore "Personal" "C:\Users\myUser\Desktop\LabCert.cer"
Can someone please advise how can I import my certificate into the original Personal store?
Thanks

Invalid provider type specified error in code signing the vsto outlook application

I brought a code signing certificate from GoDaddy generated a .pfx file from it. But when I use this file to code sign the clickonce manifest of my outlook vsto application I get this error in visual studio
An error occurred while signing: Invalid provider type specified.
What could be the problem here?
Thanks.
The signing identity stored in the .pfx container are most likely older "Cryptographic Service Providers" (CSP) style. The environment you are using to sign your package looks like required "Cryptography API: Next Generation" (CNG) provider type. The solution would be to convert your existing container to use CNG Storage Provider. This should be done by the following steps ...
Import the PFX into your personal store
Export the public key from the store by going through export wizard
Export the private key using OpenSSL into .pem format
openssl.exe pkcs12 -in <original pfx file>.pfx -nocerts -out <pem file location>.pem
Convert to PVK
pvk.exe -in <pem file location>.pem -topvk -strong -out <pvk file location>.pvk
Merge the Public and Private keys
pvk2pfx.exe -pvk <pvk file location>.pvk -pi <pvk password> -spc <pvk file location>.cer -pfx <new pfx file location>.pfx -po <pfx password>
Now you can import the newly created pfx file into the Certificate Manager. Make sure you remove the old certificate first from the Certificate Manager. Once the certificate is in place you can use certutil again to validate if the certificate is now correct.
If it now shows the provider as "Microsoft Strong Cryptographic Provider" you know the operation has been successful.
The credits goes to Remy's Blog, where you may find the full explanation on the issue with examples and verification steps... Converting Certificate to use CSP Storage Provider in stead of CNG Storage Provider.

Import OpenSSL Generated Private Key into Oracle Wallet

I have a private key that was created from an OpenSSL certificate signing request. The CA has accepted the CSR and given my the cert. When I try importing into my Oracle Wallet using orapki I get the error "No matching private key in the wallet". When I try importing the private key just as I would any user cert I get "Invalid Certificate". I've already added all the trusted certificates.
Here are the commands used:
orapki wallet add -wallet ewallet.p12 -user_cert -cert public.p12
orapki wallet add -wallet ewallet.p12 -user_cert -cert private.txt
I'm assuming there's a way to add the private key to the wallet?
you cannot import a KEY.
The Key is part of the wallet already, you need to create the certificate request with ORAPKI, as the key will be part of the request.
You cannot create a certificate using a request from other wallet, and then try to install everything into a new wallet that already has a Key.
You can create an orapki wallet from an openssl keystore as another method to bring in the private key.
orapki wallet create -wallet /path/to/wallet/wallet.p12 -auto_login [-pwd <password>
You can try the following syntax
orapki wallet import_pkcs12
–wallet wallet_location [-pwd wallet_password]
-pkcs12file pkcs12_file_location [-pkcs12pwd pkcs12_file_password]

Creating Oracle Wallet from existing PKCS#12 keystore

I have an .p12 keystore file issued by the provider of a webservice that I'd like to communicate with (SOAP) through a PL/SQL procedure from an Oracle 11g2 database.
A wallet was created with:
$ orapki wallet create –wallet [walletdirectory] -pwd [password] -auto_login
And the resulting 'ewallet.p12'-file was subsequently replaced with the (renamed to 'ewallet.p12') keystore file.
However, the SOAP-requests cannot be authorised. The log of the service provider shows (full log not available to me):
Error log Apache httpd
[<timestamp>] [error] [client <IP>] access to <URL> failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details)
ACL-settings have been thoroughly audited. I am now exploring the possibility that the Oracle Wallet has not been set up properly (because perhaps simply replacing the keystore files is not possible). I cannot extract the private key from the supplied .p12 to add to the newly generated 'ewallet.p12'.
Thus I would like to use the Oracle Wallet Manager to create the Wallet. Some problems I've encountered.
I can not open the supplied .p12 file as a wallet in OWM
Renaming the supplied keystore to 'ewallet.p12' allows me to open the wallet in OWM, but upon entering the keystore password, displays "incorrect password"
Condensed question is: How do I create an Oracle Wallet from an already existing PKCS#12 file? Either as a complete product or by generating the required .SSO-file? Any other advice as to what might be the cause of this problem?
Note: using SOAPUI, I'am able to successfully communicate with the webservice using the supplied keystore.
The webservice was unable to be authorized because the cwallet.sso file was not correct in the Oracle Wallet. The complete procedure to generate a correct Oracle Wallet from an existing PKCS#12 Keystore is:
$ orapki wallet create -wallet /path/to/wallet -auto_login
Where the [path/to/wallet] targets an existing directory that already includes the PKCS#12 Keystore. This generates the correct cwallet.sso file. The certificates included in the keystore can now be shown with:
$ orapki wallet display -wallet /path/to/wallet
And the Oracle Wallet can now be associated with an ACL:
SQLPlus: EXEC DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('[acl_file.xml]','file:/path/to/wallet');
However, for reasons unknown to me, an Oracle Wallet created in this fashion cannot be opened using the Oracle Wallet Manager tool.

Importing a .pfx or .p12 file to a remote certificate store is not supported

I try to use MMC with SnapIn Certificates(Remote Computer) to import a p12 certificate into the Personal Certificate Store of a remote Windows 2008 Server Core computer.
Certificate Import Wizard tells me:
'Importing a .pfx or .p12 file to a remote certificate store is not supported'
Is there an alternative way to do this?
I found out that I can do everything with certutil and winhttpcertcfg like this:
1) add .p12 to Personal key store
certutil -p P#ssword -importpfx cert.p12
2) add .cer certificate as trusted publisher
certutil -addstore TrustedPublisher cert.cer
3) check which users have access to certificate
winhttpcertcfg -c LOCAL_MACHINE\My -s certificate.name -l
3) grant access to certificate
winhttpcertcfg -c LOCAL_MACHINE\My -s certificate.name -g -a user#domain.com

Resources