Extract SSL certificate from Oracle Autonomous Database Wallet

 

In most real-world environments, Autonomous Databases are deployed within a private subnet, where network access is restricted either to specific VCNs or to whitelisted IP addresses. However, there are scenarios where the database needs to be accessed by external resources or applications. In such cases, one option is to expose the database through a public Load Balancer. The Load Balancer accepts incoming traffic and securely routes it to the Autonomous Database.

To further strengthen this communication, encryption is essential. This can be achieved using SSL certificates and keys. An important point to note is that Autonomous Database provides both keys and certificates as part of its wallet. By retrieving the public and private keys from the wallet, you can establish secure SSL communication between the Load Balancer and the database.

In this article, we will walk through the step-by-step process of extracting these keys from the wallet and configuring SSL-based encryption to ensure a robust and secure connectivity setup.

 

Download the Autonomous database wallet. Make a note of the password. It is required later to extract the certificate content.

 

The file ewallet.p12 has the certificate.

$ ls -lrt

total 45

-rw-r--r-- 1 kunka 197609 5710 Sep 20 15:55 ewallet.pem

-rw-r--r-- 1 kunka 197609 3025 Sep 20 15:55 README

-rw-r--r-- 1 kunka 197609 1280 Sep 20 15:55 tnsnames.ora

-rw-r--r-- 1 kunka 197609 5349 Sep 20 15:55 cwallet.sso

-rw-r--r-- 1 kunka 197609 2056 Sep 20 15:55 truststore.jks

-rw-r--r-- 1 kunka 197609  691 Sep 20 15:55 ojdbc.properties

-rw-r--r-- 1 kunka 197609  114 Sep 20 15:55 sqlnet.ora

-rw-r--r-- 1 kunka 197609 5304 Sep 20 15:55 ewallet.p12

-rw-r--r-- 1 kunka 197609 3190 Sep 20 15:55 keystore.jks

 

Lets validate ewallet.p12 using openssl command. The command will ask for the password that has been provided while downloading the wallet.

$ openssl pkcs12 -in ewallet.p12 -info -noout

Enter Import Password:

 

MAC: sha1, Iteration 10000

MAC length: 20, salt length: 8

PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 10000

Key bag

Secret bag

Bag Attributes

    friendlyName: orakey

    localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 01

Bag Type: <Random characters>

Certificate bag

Certificate bag

Certificate bag

 

The output shows the wallet is proper.  Now first retrieve Private key from the wallet using openssl command. We will be asked for password provided to download the wallet.

 

$ openssl pkcs12 -in ewallet.p12 -nocerts -nodes -out private_key.pem

Enter Import Password:

 

Bag Type: 0.22.72.134.247.13.1.10

Bag Value:

 

$ ls -lrt private_key.pem

-rw-r--r-- 1 kunka 197609 3954 Sep 25 20:35 private_key.pem

The command has created private_key.pem. Edit the private_key.pem and remove the bag info and make sure it has only  the ---begin private key-- then the 64bit info and --end private key--.

 

Next lets execute openssl command to retrieve public certificate.

 

$ openssl pkcs12 -in ewallet.p12 -nokeys -out all_certs.pem -nodes

Enter Import Password:

 

Bag Type: 0.22.72.134.247.13.1.10

Bag Value:

 

$ ls -lrt

total 57

-rw-r--r-- 1 kunka 197609 5710 Sep 20 15:55 ewallet.pem

-rw-r--r-- 1 kunka 197609 3025 Sep 20 15:55 README

-rw-r--r-- 1 kunka 197609 1280 Sep 20 15:55 tnsnames.ora

-rw-r--r-- 1 kunka 197609 5349 Sep 20 15:55 cwallet.sso

-rw-r--r-- 1 kunka 197609 2056 Sep 20 15:55 truststore.jks

-rw-r--r-- 1 kunka 197609  691 Sep 20 15:55 ojdbc.properties

-rw-r--r-- 1 kunka 197609  114 Sep 20 15:55 sqlnet.ora

-rw-r--r-- 1 kunka 197609 5304 Sep 20 15:55 ewallet.p12

-rw-r--r-- 1 kunka 197609 3190 Sep 20 15:55 keystore.jks

-rw-r--r-- 1 kunka 197609 3954 Sep 25 20:35 private_key.pem

-rw-r--r-- 1 kunka 197609 7021 Sep 25 20:35 all_certs.pem

 

The command has created all_certs.pem and it has CA and Public certificate and Digital certificate.

CA Certificate will start with below subject and issuer.

subject = /CN=Autonomous Database CA/...

issuer  = /CN=Autonomous Database CA/...

 

Public Certificate will start with below subject and issuer.

subject = /dnQualifier=V1/CN=XXXXXXXXXXXX

issuer  = /CN=Autonomous Database CA/..

 

Create public_cert.pem by copying the Public certificate from the all_certs.pem

where subject = /dnQualifier=V1/CN=XXXXXXXXXXXX and issuer  = /CN=Autonomous Database CA/..

copy only the ---begin certificate-- then the 64bit info and --end certificate--

 

 

create CA.pem by copying the CA certificate from the all_certs.pem

where subject = /CN=Autonomous Database CA/... and issuer  =  /CN=Autonomous Database CA/...

copy only the ---begin certificate-- then the 64bit info and --end certificate--

 

Also we can validate the public key and private key integrity through openssl command.

 

openssl x509 -in public_cert.pem -modulus -noout | openssl md5

openssl rsa -in private_key.pem -modulus -noout | openssl md5

 

$ openssl x509 -in public_cert.pem -modulus -noout | openssl md5

MD5(stdin)= 7d54a865a5df6f40665db54859c806b0

$ openssl rsa -in private_key.pem -modulus -noout | openssl md5

MD5(stdin)= 7d54a865a5df6f40665db54859c806b0

 

The command output will be md5 value and it should match for public key and private key

We can check the validity of the public certificate by opening it. Copy the public_cert.pem to public_cert.crt and then open the public_cert.crt file.

 

The Public, Private and CA certificate can be used to create a Load balancer managed certificate and then it can be added for Listener https configuration.