- openssl
- genkey (Linux)
- keytool (Java)
- orapki (Oracle)
- Converting Between Keystores and Wallets (orapki)
openssl
The openssl command line utility is a simple way to create a key and self signed certificate.
mkdir ~/certs
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ~/certs/${HOSTNAME}.key \
-x509 -days 3650 -out ~/certs/${HOSTNAME}.crt \
-subj "/C=GB/ST=West Midlands/L=Birmingham/O=Example Company/OU=Devs/CN=Tim Hall/emailAddress=me@example.com"genkey (Linux)
The crypto-utils package, and therefore the genkey command have been removed from RHEL8 onward. Use openssl instead.
The genkey command allows you to generate certificate and key file pairs directly from the command line.
If they are not already installed, install the mod_ssl, openssl and crypto-utils packages.
# yum install mod_ssl openssl crypto-utils
The genkey command can generate a certificate request or
a new self-signed certificate. The following command create a
self-signed certificate for the specified machine.
# genkey --makeca rhce1.localdomain
The certificate and key file are created in the following locations respectively.
# ls /etc/pki/CA/ certs crl newcerts private rhce1.localdomain # ls /etc/pki/CA/private/ rhce1.localdomain #
keytool (Java)
The keytool utility is present as part of the Java
Runtime Environment (JRE), either in the standalone JRE installation, or
under the "jre" directory of the JDK installation.
The following commands creates a keystore containing a self-signed certificate.
$ mkdir ~/keystore $ cd ~/keystore $ export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64 $ $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \ -storepass password1 -validity 360 -keysize 2048 -keypass password1
The utility asks you to provide information in the following format.
What is your first and last name? [Unknown]: rhce1.localdomain What is the name of your organizational unit? [Unknown]: Example Department What is the name of your organization? [Unknown]: Example Company What is the name of your City or Locality? [Unknown]: Birmingham What is the name of your State or Province? [Unknown]: West Midlands What is the two-letter country code for this unit? [Unknown]: GB Is CN=Tim Hall, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB correct? [no]: yes Enter key password for <selfsigned> (RETURN if same as keystore password): $
Alternatively, you can provide the answers directly on the command line.
$ $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \ -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB" \ -storepass password1 -validity 360 -keysize 2048 -keypass password1
The following command checks the contents of the keystore.
$ $JAVA_HOME/jre/bin/keytool -list -v -keystore keystore.jks -storepass password1 Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: selfsigned Creation date: Feb 9, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=rhce1.localdomain, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB Issuer: CN=rhce1.localdomain, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB Serial number: 51165df7 Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014 Certificate fingerprints: MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* $
orapki (Oracle)
The orapki utility makes handling certificates and Oracle wallets very simple.
Create a location for your wallet.
$ mkdir /home/oracle/wallet $ cd /home/oracle/wallet
Add the location of the orapki utility to your path.
# WebLogic $ export PATH=$PATH:$MW_HOME/oracle_common/bin Or # Database $ export PATH=$PATH:$ORACLE_HOME/bin
Create a wallet to hold your certificate.
$ orapki wallet create -wallet ./ -pwd WalletPasswd123 -auto_login
Create a self-signed certificate and add it to your wallet.
$ orapki wallet add -wallet ./ -pwd WalletPasswd123 \ -dn "CN=`hostname`, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB" \ -keysize 1024 -self_signed -validity 365
You can check the contents of the wallet with the following command.
$ orapki wallet display -wallet ./ -pwd WalletPasswd123 Oracle PKI Tool : Version 11.1.1.5.0 Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: CN=rhce1.localdomain,OU=Example Department,O=Example Company,L=Birmingham,ST=West Midlands,C=GB Trusted Certificates: Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=rhce1.localdomain,OU=Example Department,O=Example Company,L=Birmingham,ST=West Midlands,C=GB $
You can read more about Oracle wallets and the orapki utility here.
Converting Between Keystores and Wallets (orapki)
Oracle Fusion Middleware can be quite confusing at times because
different products handle their certificates in different ways. For
example, managed servers use a JKS keystore, but the Oracle HTTP Server
(OHS) requires an Oracle Wallet. Fortunately, the orapki utility allows you to convert between these two formats.
To import the contents of a JKS keystore into a existing wallet, use the following commands.
$ # Create a new wallet
$ orapki wallet create -wallet ./ -pwd WalletPasswd123 -auto_login
$ # Import the contents of the JKS keystore into the new wallet.
$ $MW_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd WalletPasswd123 \
-keystore identity.jks -jkspwd password1To create identity and trust keystores from a wallet, using the following command.
$ orapki wallet pkcs12_to_jks -wallet ./ -pwd WalletPasswd123 \
-jksKeyStoreLoc ./identity.jks -jksKeyStorepwd password1 \
-jksTrustStoreLoc ./trust.jks -jksTrustStorepwd password1