1 2 Previous Next 18 Replies Latest reply: Dec 2, 2008 6:23 AM by Anuj Dwivedi--Oracle RSS

    How can we use two user certificates at a time?

    Anuj Dwivedi--Oracle
      Hi,

      I want to use two different user certificates for two different trading partners. Can we keep two private keys in single wallet and use those simultaneously? In our case our two trading partners are using different CA's certificate and we are forced to use two private keys.

      Please tell me that is there any way by which I can manage two private keys at a time in single wallet?

      Please help.

      Thanks & Regards,
      Anuj Dwivedi
        • 1. Re: How can we use two user certificates at a time?
          633871
          Hi All,

          1. Using the orapki tool, we first generated an empty wallet.
          2. We then created a user certificate-private key pair inside the wallet.
          3. We ran the same command again and we were able to add another user certificate-private key pair.

          This procedure can be used to add as many user certificate-private key to the same wallet.

          My understanding is that, while specifying the communication capability, we specify the signing credential as the user certificate. This user certificate will internally map to the private key and this private key will sign any message going out of the host.

          Any 2 TP talking to each other will use their agreement to specify the delivery channel (i.e. the given communication capability).

          Hence, a host can identify itself with more than one private key-user certificate pair and based on the agreement details, the correct private key-user certificate will be used for signing the messages.

          Is my understanding correct?

          When orapki tool is not used to generate private key-user certificates, how are multiple private keys-user certificates imported into the wallet?

          Please advise.

          With Thanks & Regards,
          Suhas.
          • 2. Re: How can we use two user certificates at a time?
            Ramesh Nittur Anantharamaiah-Oracle
            Ideally it should be possible to store the multiple private key in wallet. Use the appropriate public key while configuring signing feature in B2B. During runtime B2B engine finds the appropriate private key corresponds to this public key from the wallet and sign the message.
            • 3. Re: How can we use two user certificates at a time?
              633871
              Hi Ramesh,

              Thanks for confirming the above. I will try this and update this post.

              With Thanks & Regards,
              Suhas.
              • 4. Re: How can we use two user certificates at a time?
                Anuj Dwivedi--Oracle
                Hi Ramesh,

                I tried to export user certificate from one wallet and import it back into another wallet which is already containing a private key but it gave me error. What is the way by which I can export a private key from a wallet and import it back into another which already contain one private key?

                Need help on this.

                Thanks & Regards,
                Anuj Dwivedi
                • 5. Re: How can we use two user certificates at a time?
                  633871
                  Hi Ramesh,

                  The steps followed are as follows:

                  1. Export the trusted certificate from wallet B and name it as BTrust.cer
                  2. Export the user certificate from wallet B and name it as BUser.cer
                  3. Import BTrust.cer into Acme Wallet's trust certificates
                  4. Import BUser.cer into Acme Wallet.

                  While importing the BUser.cer into Acme wallet, we get the following error:

                  - Input was not a valid certificate
                  - No matching certificate request was found
                  - CA certificate needed for certificate chain not found. Please install it first.

                  I also ensure that the certificates are in Base64 format. The following link also says that Multiple private keys can be stored in the same wallet:

                  http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10772/asowalet.htm#1006323

                  We have been able to have multiple private keys in OWM using Orapki. But we are not able to do the same using the Operations in OWM.

                  Is there a way in which we can use orapki to import the user certificate?

                  Please Help!

                  Thanks & Regards,
                  Suhas.
                  • 6. Re: How can we use two user certificates at a time?
                    Ramesh Nittur Anantharamaiah-Oracle
                    Please follow Re: Import Certificates into Wallet

                    Paste the user certificate by including the below tag

                    —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–
                    • 7. Re: How can we use two user certificates at a time?
                      Nandagopal.S
                      Ideally you need to have a certificate request for the second user certificate as well. For testing purpose please run the below commands after setenv, Which will create a ewallet with two user certificate in server folder.

                      orapki wallet create -wallet ./root -pwd welcome1
                      orapki wallet add -wallet ./root -dn "CN=root_test,C=US" -keysize 1024 -self_signed -validity 3650 -pwd welcome1
                      orapki wallet export -wallet ./root -dn "CN=root_test,C=US" -cert ./root/b64certificate.txt -pwd welcome1

                      orapki wallet create -wallet ./server -pwd welcome1
                      orapki wallet add -wallet ./server -dn "CN=server_test,C=US" -keysize 1024 -pwd welcome1
                      orapki wallet export -wallet ./server -dn "CN=server_test,C=US" -request ./server/creq.txt -pwd welcome1

                      orapki cert create -wallet ./root -request ./server/creq.txt -cert ./server/cert.txt -validity 3650 -pwd welcome1

                      orapki wallet add -wallet ./server -trusted_cert -cert ./root/b64certificate.txt -pwd welcome1
                      orapki wallet add -wallet ./server -user_cert -cert ./server/cert.txt -pwd welcome1
                      orapki wallet add -wallet ./server -dn "CN=server_test2,C=US" -keysize 1024 -pwd welcome1
                      orapki wallet export -wallet ./server -dn "CN=server_test2,C=US" -request ./server/creq2.txt -pwd welcome1
                      orapki cert create -wallet ./root -request ./server/creq2.txt -cert ./server/cert2.txt -validity 3650 -pwd welcome1
                      orapki wallet add -wallet ./server -user_cert -cert ./server/cert2.txt -pwd welcome1

                      Verify the same using wallet manager.

                      Please let us know.

                      Regards
                      Nandagopal.S
                      • 8. Re: How can we use two user certificates at a time?
                        Anuj Dwivedi--Oracle
                        Hi Nandagopal,

                        Thanks a lot for your reply.

                        We have already tested the scenario but now for the production we have to merge two wallets into one as we are bound to use two identities for communicating with our two Trading Partners. In our case both of the Trading Partners accept different different CA's issued certificate. So we have to have two Identities(our certificates approved from their CA's) for communicating with them together.

                        Is there any method by which we can export private key from one wallet and import it back into another wallet(which already contains a private key)?

                        Please help!

                        Thanks & Regards,
                        Anuj Dwivedi
                        • 9. Re: How can we use two user certificates at a time?
                          Nandagopal.S
                          Hi Anuj,

                          Please try the above example and let us know.

                          Regards
                          Nandagopal.S
                          • 10. Re: How can we use two user certificates at a time?
                            633871
                            Hi Nandagopal,

                            The steps you have provided will do the following:

                            1. Create wallet1, generate user and trust certificates and export the wallet as wallet1.txt (in base64 format)
                            2. Create wallet2, generate user and trust certificates and export the wallet as wallet2.txt (in base64 format)
                            3. Create a certificate request in wallet1
                            4. Add trusted certificate into the wallet2 (i.e root user certificate will be added to the server's trusted certificate)
                            5. Add user certificate in wallet2 (i.e. server's user certificate in server's wallet)


                            We understood the above commands you gave us above but please can you explain the next 4 commands:

                            orapki wallet add -wallet ./server -dn "CN=server_test2,C=US" -keysize 1024 -pwd welcome1
                            orapki wallet export -wallet ./server -dn "CN=server_test2,C=US" -request ./server/creq2.txt -pwd welcome1
                            orapki cert create -wallet ./root -request ./server/creq2.txt -cert ./server/cert2.txt -validity 3650 -pwd welcome1
                            orapki wallet add -wallet ./server -user_cert -cert ./server/cert2.txt -pwd welcome1


                            We will execute these example commands and update you.

                            With Thanks & Regards,
                            Suhas.
                            • 11. Re: How can we use two user certificates at a time?
                              Anuj Dwivedi--Oracle
                              Hi Nandagopal,

                              I tried your steps. What it does is that it creates a self signed key and then signs two request using this key. Then it merges both of them. But in our case we are using certificates which are already approved.

                              So using Orapki can we extract a private key which is already approved and can we merge two private keys which are approved by different CA's into one wallet?

                              Thanks & Regards,
                              Anuj Dwivedi
                              • 12. Re: How can we use two user certificates at a time?
                                Ramesh Nittur Anantharamaiah-Oracle
                                a. How To Extract A Private Key and Certificate From A Wallet

                                Oracle does not provide any functionality within Wallet Manager, or otherwise, to do this. However this can be achieved using OpenSSL.
                                - If a Linux server is available, OpenSSL is usually installed by default (/usr/bin/openssl). If not you can download it from www.openssl.org
                                - To extract the key and certificate from the Wallet run:

                                openssl pkcs12 -in ewallet.p12 -passin pass:<wallet_password> -out ewallet.txt -nodes

                                - The resulting ewallet.txt is a file that contains the unencrypted private key, the certificate and all the root CA's in the wallet. Then the relevant information for the key, and certificate(s) can be copied to separate files to create the individual key and certificate(s)

                                b. How to Convert a Certificate and Private Key to an Oracle Wallet

                                SSL2OSSL (UNIX) and OSSLCONVERT (Windows) are tools that allow you to convert Private Keys and Certificates to an Oracle Wallet format. This format is required for Oracle Application Server. $ORACLE_HOME/Apache/Apache/bin/ssl2ossl

                                Points to Note:

                                * Even though capath, cafile, and chain are optional, at least one must be specified.
                                * All the certificates that are being converted must be in base64 format.
                                * If you are converting a self signed certificate, running ssl2ossl/osslconvert does not import the certificate as a Trusted Certificate. Therefore it is necessary to import the certificate as a Trusted Certificate in Wallet Manager after its converted, otherwise the Wallet will not work with Application Server.

                                usage:

                                $ ssl2ossl -cert /<path>/server.crt -key /<path>/private.key -cafile /<path>/rootca.crt -wallet /ssl/wallet -ssowallet yes
                                Enter wallet password:
                                Verifying password - Enter wallet password:
                                SUCCESS

                                This will create a ewallet.p12 file in /ssl/wallet
                                • 13. Re: How can we use two user certificates at a time?
                                  Anuj Dwivedi--Oracle
                                  Hi Ramesh,

                                  Thank you so much for coming with a method.

                                  I will try this out and let you know the result.

                                  Thanks & Regards,
                                  Anuj Dwivedi
                                  • 14. Re: How can we use two user certificates at a time?
                                    633871
                                    Hi Ramesh,

                                    Thanks for the work-around you gave. After implementing the steps you gave, 2 private keys were extracted separately using open-ssl, put into a single text file. Then when this text file was imported into the wallet, only 1 private key was found while all other trust certificates were imported successfully.

                                    Further, when we create 2 private keys using orapki and export the wallet, only one private key is exported.

                                    This shows that Oracle Wallet Manager does not support import/export of 2 private keys.

                                    I have the following doubt with respect to Oracle B2B:

                                    In tip.properties while specifying the wallet path, we give .//..//..//default/ewallet.txt
                                    Suppose, we just give the folder location till .//..//..//default , will this work?

                                    With Thanks & Regards,
                                    Suhas.
                                    1 2 Previous Next