Oracle ewallet证书常用命令

1. 第一步：创建一个新的ewallet

orapki wallet create -wallet ${WALLET} -pwd ${PASSWORD}

2. 第二步，添加用户证书和key

openssl pkcs8 -topk8 \
  -in tls.key \
  -out tls.enc.key \
  -passout pass:${PASSWORD}

orapki wallet import_private_key \
  -wallet ${WALLET} -pwd ${PASSWORD} \
  -pvtkeyfile tls.enc.key -pvtkeypwd ${PASSWORD} \
  -cert ${CERTDIR}/tls.pem

这里有两步操作，因为oraplki不允许导入未加密的key，所以必须先用PKCS#8 format对key进行加密。

3. 第三步，添加trusted证书链

orapki wallet add    
  -wallet ${WALLET} -pwd ${PASSWORD} \
  -trusted_cert \
  -cert ca-chain.pem

注意经测试，这里一次只能增加一个证书，不能一次增加多个证书链，所以如果ca-chain.pem里面是一个包含多个证书的证书链，则需要把他们分开，然后一个一个加入。

4. 第四步，增加其他用户证书

orapki wallet add    
  -wallet ${WALLET} -pwd ${PASSWORD} \
  -user_cert \
  -cert user-cert.pem

注意这里只增加用户证书，不含用户key，所以必须key已经在wallet里面存在，否则会出错。所以常见使用场景是，一个key生成了多个用户证书，比例之前的证书过期了作废了，然后需要更新一个新的证书。

5. 查看ewallet的内容

orapki wallet display -wallet ${WALLET} -pwd ${PASSWORD}

6. 导出ewallet证书内容

导出所有内容(CA证书，用户证书，key)

$ openssl pkcs12 -in ewallet.p12 -passin pass:<wallet_password>  -out out.txt -nodes

只导出证书(CA证书和用户证书)

$ openssl pkcs12 -in ewallet.p12 -passin pass:<wallet_password> -out out.txt -nodes -nokeys

只导出用户key

$ openssl pkcs12 -in ewallet.p12 -passin pass:<wallet_password> -out out.txt -nodes -nocerts

7. 附录

是一个脚步用了生产oracle ewallet证书。

#!/bin/sh


function makeRootWallet
{
  typeset WALLETCN=$1

  echo "==> Create an empty wallet"
  orapki wallet create             -wallet ${WALLETCN} -pwd <PASSWD>

  echo "==> Add self-signed root CA certificate into wallet"
  orapki wallet add                -wallet ${WALLETCN} -keysize 1024 -dn "cn=${WALLETCN},dc=mycompany,dc=com" -self_signed -validity 3650 -pwd <PASSWD>

  echo "==> Export root certificate from wallet as pem"
  orapki wallet export_trust_chain -wallet ${WALLETCN} -certchain ${WALLETCN}/${WALLETCN}.pem -dn "cn=${WALLETCN},dc=mycompany,dc=com" -pwd <PASSWD>
}

function makeUserWallet
{
  typeset WALLETCA=$1  # The CA certificate path, used to sign user certificate
  typeset WALLETCN=$2

  echo "==> Create User wallet"
  orapki wallet create -wallet ${WALLETCN} -pwd <PASSWD>

  echo "==> Create certificate request in wallet"
  orapki wallet add -wallet ${WALLETCN} -keysize 1024 -dn "cn=${WALLETCN},dc=mycompany,dc=com" -pwd <PASSWD>

  echo "==> Export certificate request from wallet as csr"
  orapki wallet export -wallet ${WALLETCN} -dn "cn=${WALLETCN},dc=mycompany,dc=com" -request ${WALLETCN}/${WALLETCN}.csr -pwd <PASSWD>

  echo "==> Create CA-signed certificate"
  orapki cert create -wallet ${WALLETCA} -request ${WALLETCN}/${WALLETCN}.csr -cert ${WALLETCN}/${WALLETCN}.pem -validity 3650 -pwd <PASSWD>

  echo "==> Add trusted certificates to wallet"
  orapki wallet add -wallet ${WALLETCN} -trusted_cert -cert ${WALLETCA}/${WALLETCA}.pem -pwd <PASSWD>

  echo "==> Add user certificate into wallet"
  orapki wallet add -wallet ${WALLETCN} -user_cert -cert ${WALLETCN}/${WALLETCN}.pem -pwd <PASSWD>
}

makeRootWallet ca
makeUserWallet ca server
makeUserWallet ca client