Showing posts with label OHS. Show all posts
Showing posts with label OHS. Show all posts

18 April 2017

SHA2 on Oracle Http Server

OHS has Limitation to work with SHA2 certificates and supports from 11.1.1.9 onwards

Here are the steps to configure SHA2 certificate over OHS server


1 generate a private key
$ openssl genrsa -des3 -out private.key 2048
(give password )

2 generate CSR
$ openssl req -new -sha256 -key private.key -out abc.csr

3 Create openssl wallet
$ openssl pkcs12 –export –out ewallet/ewallet.p12 –inkey priv_key_location \ 
  –in server_cert_location –certfile root_cert_location

  verify It using below command. You will see ‘User and trusted certificate’ 
  as shown in green below(if above command used correctly)
$ orapki wallet display -wallet ewallet/
**
User Certificates:
Subject:    CN=www.abc.com,O=GOOGLE INC,L=London,ST=London,C=GB
Trusted Certificates:
Subject:    CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\,
            Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
**

4 Extract user.crt  from the wallet created in previous step
$ orapki wallet export -wallet /opt/software/wt/ohs_instance/config/OHS/ohs1/keystores/ewallet/ \
  -dn "CN=www.abc.com,O=GOOGLE INC,L=London,ST=London,C=GB" -cert user.crt -pwd ********

Extract the intermediate and root certificate in base 64 format from certificate received by CA.
(from windows machine)

5 Create chain certificates ( copy certificates into single file chain.crt)
user --> Intermendiate --> root

6 Create a wallet using openssl
$ openssl pkcs12 –export –out /ohs_instance/config/OHS/ohs1/keystores/openssl/ewallet.p12 \
  –inkey private.key –in user.crt –certfile chain.crt

7 Convert openssl wallet to JKS
$ orapki wallet pkcs12_to_jks -wallet /ohs_instance/config/OHS/ohs1/keystores/openssl \ 
  -pwd ******** -jksKeyStoreLoc /ohs_instance/config/OHS/ohs1/keystores/punit.jks -jksKeyStorepwd welcome1 

8 Create an auto login wallet using orapki
$ orapki wallet create -wallet /ohs_instance/config/OHS/ohs1/keystores/abc -auto_login -pwd welcome1

9 Convert jks to wallet
$ orapki wallet jks_to_pkcs12 -wallet /ohs_instance/config/OHS/ohs1/keystores/dslcheck -pwd welcome1 \ 
  -keystore /opt/software/wt/ohs_instance/config/OHS/ohs1/keystores/punit.jks -jkspwd welcome1 

10 verify  wallet
 $ orapki wallet display -wallet /ohs_instance/config/OHS/ohs1/keystores/abc/

this should show below result and include all the certificates

**
User Certificates:
Subject:    CN=www.abc.com,O=GOOGLE INC,L=London,ST=London,C=GB
Trusted Certificates:
Subject:    CN=www.abc.com,O=GOOGLE INC,L=London,ST=London,C=GB
Subject:    CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
Subject:    CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, 
            Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
**

Refer the wallet path into ssl.conf & httpd.conf as

SSLWallet "/opt/software/wt/ohs_instance/config/OHS/ohs1/keystores/abc"

Restart the instance.

Refer this to check your installed certificate
https://www.sslshopper.com/ssl-checker.html#hostname=abc.com
No comments:
Labels: , ,