Skip to Main Content

Integration

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

SSL + Wallet Manager

858986May 24 2011 — edited May 25 2011
Hi All,

I am trying to configure SSL on my application.I am using OHS11g. I got the certificate from CA. I downloaded the rootCA , primary and secondary Intermediate certificates. I have imported the rootCA first. When i try to import Primary CA then i am getting an error like *"Trusted Certificate Installation Failed" possible errors: Some trusted Certificates could not be installed and Trusted certificate is already present in the wallet* . Then i try to import the user certificate then its giving the error like "user *certificate import has failed because the ca certificate does not exist"*. I tried some combination like removed rootCA and imported PrimaryCA. Then also i am getting the same error.

Please let me know a solution for this.

Thanks,
Manikandan

Comments

mseberg
I did this a while back. Here are my simple notes :

1) Create a Oracle Wallet using Oracle Wallet Manager (owm)

2) Import your_cert.crt and import it into the Wallet as a Trusted Certificate.

3) Save the Wallet and add the following to the sqlnet.ora file on the server

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY =
%PATH_TO_WALLET%)))

4) Restart Listener.


I would consider a do over.

Hope this helps

mseberg
858986
Hi mseberg,

Thanks for the reply...

I am not configuring at the database level. I am configuring SSL with my application. I did the following:

Created Wallet

Created Certificate Request and Send to CA

Received the certificate signed by CA (Verisign)

I am trying to do the following but i am getting the error which i have mentioned in my earlier post

Verisign mentions first import root, primary and Secondary certs as trusted certificates to Wallet

Import the user certificate (which is given by CA)

Any suggestions.. bit urgent

Thanks,
Manikandan
mseberg
Different animal, I have notes : (Older, but I think OK)


Oracle 10G SSL Configuration
There are three major steps needed to configure SSL in OracleAS 10g:
I. Create an Oracle Wallet which contains an SSL Certificate.
II. Configure httpd.conf directives to enable SSL with OHS.
III. Configure the opmn.xml to enable Oracle Application Server 10G to allow SSL with OHS.
STEP I: Configuring Oracle Wallet Manager (OWM)
=========================================================================
1. Start Oracle Wallet Manager from the OracleAS 10g $ORACLE_HOME.
Note: If you wish to use AutoLogin features you must start OWM as
the user owning the httpd parent process.
To start Oracle Wallet Manager:
On Windows: select Start -> Programs -> OracleAS 10g - ORACLE_HOME -> Integrated Management Tools -> Wallet Manager
On UNIX: enter "owm" at the command line.
2. Create an Oracle Wallet which contains a SSL Certificate:

- Select Wallet -> New

- Enter a password for the wallet (e.g Welcome1)

- Create a Certificate Request.

- Enter the details for the request. For example:
Common Name: <host.domain>
Organizational Unit: Support
Organization: Oracle
Location: Reading
State: Berkshire
Country: United Kingdom
Key Size: 1024bits

* Common Name has to match the host.domain that the webserver is known as. This is the ServerName parameter in the httpd.conf file and the host.domain that users will access from the browser URL.

- Click OK.

- Click 'Certificate:[Requested]' and select from the Menu 'Operations' and 'Export Certificate Request'

- Save to a file (e.g server.csr)

- Select Wallet -> Save

- Save to a directory e.g /tmp/wallet/

- Open the file in a text editor and copy the contents of the certificate signing request.

An example is shown below:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtzCCASACAQAwdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCWJlcmtzaGlyZTEQMA4GA1UEBxMHcmVhZGluZzEPMA0GA1UEChQGb3JhY2xlMRAwDgYDVQQLFAdzdXBwb3J0MR8wHQYDVQQDFBZ1a2RoMTkzNC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYkFMb9x4ehsG3yQ2ub319GxPW+/TC3NSIYRLzEa49EziqBUr08R3Ssn9+6nolVjj1eb3rzwCfjiOSzsp1lSa/B9Vo63pwP6xLbCgF8J86YfcZvavgLzY0Yc1fPfRxpZkb/jjt+F1zkaI6Lilm5YU3bRNYMb36TAWxUYL1m6wZOwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEACKXTmPHaSe3Lx3onnKJk/qI8SzpKyQC/B29vJGg1+7Lb7gl052Y9WKxbKHzOQOYr8yYxMXNBCUwW6kBAFoxTWSpIxIQOpJXcsu1RlHKaLfAnw053LiwpRB6do7MBrVgMRiv3AyTkJkgRzSxABWAgNpBPbhH+L6PZj5tSjOPErKA=
-----END NEW CERTIFICATE REQUEST-----

3. Request a Certificate from a Certificate Authority.
For the purposes of this note it is assumed you have OracleAS 10g Oracle Certificate Authority configured within your organization.(NB: If you want to use another CA then follow the next section then proceed on to Step II in this document.)
=======================================================================
Request a Certificate from a Certificate Authority:
- Load a web browser and go a Certificate Authority website of your choice.
The examples below are from www.thawte.com:

- Click on 'request your free trial'.

- Fill in the necessary name and address details etc. and 'Submit'.

- Paste in the certificate request into the box under the 'Certificate Signing Request' Section.

- Select "Test X509v3 SSL Cert" and hit "Generate Test Certificate"

- Once submitted the Trial Certificate will appear on screen similar to below:

-----BEGIN CERTIFICATE-----
MIICnDCCAgWgAwIBAgIDD9m+MA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAxMTAyNDE0MDIxOVoXDTAxMTExNDE0MDIxOVowdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHUmVhZGluZzEPMA0GA1UEChQGT3JhY2xlMRAwDgYDVQQLFAdTdXBwb3J0MR8wHQYDVQQDFBZ1a3AxNTkxOC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiQbg8KHjQ8hazvFe+OFhQa6ka+i5oShUty1MhlH+//xXP+j82h4VlyPG6IGKeQdXLhnKXgLuxTZ8/VDtLZyucmpIB95o2A3Betjp7UdImC572rKrQTA+1mCt/KLWcNE+fQuCmhloaERh3jsWTng0TKsDpJeAJdW2F4tCy/E/EMwIDAQABoyUwIzATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBACffzyC3qvAlvNWc6mBPMjFu6XWUGZBuNawFCz8qGw5/ce3rWFNI4zOjc1OncoJg7FjDJgAWqiJFHgdV4gwQm/8lTJX6wD1FhMtrJDXf29ei1DAe8kBOBWiFMio8Qjp24TdxoI6/53/32ydl91CPtTKAix3SaC2bBS5lG73AbKRr
-----END CERTIFICATE-----

- Copy the certificate to a file called server.crt

- Get the Trusted CA Root certificate by accessing:
https://www.thawte.com/roots/index.html

- Copy the certificate that appears on the screen to a file called servertest.crt

- Ftp or move the files to a directory on your server

- In Wallet Manager select Operations -> Import User Certificate.

- It will then ask you if you want to Paste the certificate or load from a file. Choose 'Select a file that contains a certificate'.

- Select the file server.crt and hit OK.

- At this point, the Wallet Manager may complain that the Trusted CA Root Certificate does not exist in the wallet. It will ask if you want to import it now. Select Yes. See Below

- Select 'Select a file that contains a certificate' and select the servertest.crt file.

- If this completes successfully you should see Certificate:[Ready] and the Thawte Test CA Root will appear in the list of trusted certificates.

- If you desire Oracle HTTP Server to AutoLogin to the Wallet, then select AutoLogin. (Wallet Manager must have been started as the owner of the httpd parent process for this to work).

- From the menu, File -> Save
Save the Wallet in a directory where the 9iAS user has permission to access
* If you generated your test certificate via www.verisign.com there is an additional step required if OWM is not accepting the Trusted CA Root Certificate. The step is as follows:
In OWM, at the point of message "User certificate import has failed because the CA certificate does not exist". You are expected to import the CA certificate. For Verisign, that would be the 'Test CA Root' for the Trial version. Verisign's email has instructions on how to download the Test CA Root. One problem with the Test CA Root is that it is saved as DER encoding, but OWM expects BASE64 encoding.
Please do following, using Internet Explorer 5.X as example.

1. Following Verisign instructions and install Test CA Root certification into IE.

2. Export 'Test CA Root' from IE in BASE64 format Tools -> Internet Options -> Contents -> Certificates -> Trusted Root Certificate Authorities
Select CA issued by Versign with following Description in 'Issued to' column
"For Versign authorized testing only ....."
Export -> Next -> select Base-64 encoded X.509(.cer)
The file saved must me accessible to OWM

3. When prompted to load 'CA certificate ', provide the Base64 encoded file. Then, continue where you left off when OWM did not accept your Trusted CA Root Certificate.

Access the URL from which the OCA install resides (e.g.https://host.domain:4400/oca/user)
- Note, the first time you access this site from a browser, the browser will inform you that the certificate is not trusted. Depending on your environment the following is required:
On Windows using IE (tested with 5.5), accept the certificate for the session and then once the OCA page has been loaded, select 'click here to import the certificate authority certificate into your browser'. This will prompt you to download and install a file called certImport.cer. Double click on this file and then select “Install Certificate” to launch the Certificate Import Wizard.
From there, follow the wizard to successfully import the certificate into the browser. The certificate can then be managed by going to Tools -> Internet Options -> Content -> Certificates.
On Unix using Mozilla (tested with 1.0.1), select the option to Remember this certificate permanently and once the OCA page has been loaded, select 'click here to import the certificate authority certificate into your browser'. A dialog box will then prompt to trust host? for the following purposes:

- Trust this CA to identify web sites.

- Trust this CA to identify email users.

- Trust this CA to identify software developers.
Once one or more of these options are selected, the certificate has been imported and can be found under:
Edit -> Preferences -> Privacy and Security -> Certificates -> Manage Certificates -> Authorities -> Certificate Name is Oracle Corporation.
On Unix or Windows, using Netscape (tested with 6.0), a dialog box will prompt you with the following options:

- Accept this certificate permanently.

- Accept this certificate temporarily for this session.

- Do not accept this certificate and do not connect to this web site.
As long as the third option is not selected the prompt will be eliminated. Once the OCA page has been loaded the option to select 'click here to import the certificate authority certificate into your browser' will bring up a pop-up prompting you to trust name? for the following purposes:

- Trust this CA to identify web sites.

- Trust this CA to identify email users.

- Trust this CA to identify software developers.
Once one or more of these options are selected, the certificate has been imported and can be found under:
Edit -> Preferences -> Privacy and Security -> Certificates -> Manage Certificates? -> Authorities.

- In the URL https://host.domain:4400/oca/user, click on the Server/SubCA Certificates

- Click 'Request a Certificate'

- Paste in the certificate request and fill in the form details. For example,
PKCS#10 Request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtzCCASACAQAwdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHUmVhZGluZzERMA8GA1UEChQIY29tcGFueTExDjAMBgNVBAsUBWRlcHQxMR8wHQYDVQQDFBZ1a3AxNTg0OS51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBU47J7Ob5N7lBTcztAzkJQ9jx8atJayrTVjVh3io6a0NIS98ADdc3+/ECKL4i8SfDnnSQKFw/tKv3snF0H86JFphoRoExrOA2ZdJPEunzH4u2nkRadZGGtZqzG1L+1jIYLJ669zh0k7XJQJgG8oQyBGDaCtbRQSniHZMEWXDbBQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEADfwkv3WUngj5cCnxOHNQ3A3q7bWWZWrz0pHt+QHXFDEwrRsz7qUQY/JijIWfS67ekh71R/6eDysCRZGP+/dXOcxTZM/x4VS2INeY+scGWiXvaU8NLC2YxPYYNl38Wl19MIIW8VF0PaZRBtL4Ntgadc54Qei2EXUJJXmkgHi1PBE=
-----END NEW CERTIFICATE REQUEST-----
Name: Fred Bloggs
Email: fred.bloggs@oracle.com
Certificate Usage: SSL/Encryption
Validity Period: 1 year
- Hit the 'Submit' button

- A page will appear similar to the following:
Information
--------------
Your certificate request is accepted. Administrator will contact you for certificate issuance. Your request ID is "4". Please use this request ID for future reference.

4. If you are not the Certificate Authority, then wait until the CA has contacted you to say the certificate is ready and then proceed on to step (5).
If you are the Oracle Certificate Administrator then perform the following:

- Access the OCA Administration page from which the OCA install resides (e.g. https://host.domain:4400/oca/admin)

- Click on the 'Certificate Management' tab

- Here you will see the Certificate Requests awaiting action.

- Select the radio button for "Request ID" 4. Select 'View Details'

- This will bring up a page similar to the following:
Certificate Request Information
-------------------------------
Status : PENDING
Certificate Type : server
Certificate Usage : SSL, Encryption
Serial Number : 4
Subject DN : CN=midtier.uk.oracle.com,OU=dept1,O=company1,L=Reading,ST=Berkshire,C=GB
Request Date : Tue Sep 16 14:17:15 BST 2003
Algorithm : RSA
Exponent : 65537
Subject(Requestor) CN=midtier.uk.oracle.com,OU=dept1,O=company1,L=Reading,ST=Berkshire,C=GB
Validity Period: 365 days

- Select 'Approve'

- You will get a page similar to the following:
Certificate Request is approved. The serial number of the issued certificate is "5". Requestor Name: Fred Bloggs Requestor Email: fred.bloggs@oracle.com

5. Once the certificate has been approved, access the following URL:
https://host.domain:4400/oca/user

- Click on the 'Server/Sub CA Certificate' tab

- Select "Search" -> "Certificate Request" -> "ID/Serial No."

- Enter number 4 in the box, where 4 is the request ID number as per step 4)and select 'Go'

- A page shoud be displayed similar to the following:

Request ID 4
User DN CN=midtier.uk.oracle.com,OU=dept1,O=company1,L=Reading,ST=Berkshire,C=GB
Request Type server
Request Date 16 September 2003
Status Certified
Serial Number 5
As the status is certified we know the certificate has been issued and we can download it. Click on the Serial Number (e.g 5) and this will display a page with the base 64 certificate:
BASE64-Encoded Certificate.
--------------------------
-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIBBTANBgkqhkiG9w0BAQQFADBKMQswCQYDVQQGEwJHQjEPMA0GA1UEChQGT3JhY2xlMRAwDgYDVQQLEwdTdXBwb3J0MRgwFgYDVQQDFA9SdXNzIFN1cHBvcnQgQ0EwHhcNMDMwOTE2MTMyNjMxWhcNMDQwOTE1MTMyNjMxWjB3MQswCQYDVQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdSZWFkaW5nMREwDwYDVQQKFAhjb21wYW55MTEOMAwGA1UECxMFZGVwdDExHzAdBgNVBAMUFnVrcDE1ODQ5LnVrLm9yYWNsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFTjsns5vk3uUFNzO0DOQlD2PHxq0lrKtNWNWHeKjprQ0hL3wAN1zf78QIoviLxJ8OedJAoXD+0q/eycXQfzokWmGhGgTGs4DZl0k8S6fMfi7aeRFp1kYa1mrMbUv7WMhgsnrr3OHSTtclAmAbyhDIEYNoK1tFBKeIdkwRZcNsFAgMBAAGjgfEwge4wDAYDVR0PBAUDAwfoADCB3QYDVR0fBIHVMIHSMIHPoIHMoIHJhoHGbGRhcDovL3VrcDE1ODQ5LnVrLm9yYWNsZS5jb20vMzg5L2NuPW9jYTEsY249Q1JMVmFsaWRhdGlvbixjbj1WYWxpZGF0aW9uLGNuPVBLSSxjbj1Qcm9kdWN0cyxjbj1PcmFjbGVDb250ZXh0P2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q/b25lP29yY2xQS0lJc3N1ZXJETj1DTj1SdXNzIFN1cHBvcnQgQ0EsT1U9U3VwcG9ydCxPPU9yYWNsZSxDPUdCMA0GCSqGSIb3DQEBBAUAA4IBAQAmZ6k2J9S3WJ08jHKx4o3zKp+3YMYoAkeiIGK5JerIWpc2n7knPW6zkuGTQaO7t0E2Uj8LKNny 62ZSZtqw6s0Myb0beYDwHpmUxp4AypL/LVPhz4KZt8eOa0lkDQJUJzvCbxvauQRzIgsBKsm3WP1tdDuogNY1loRzhI24MlIN8+7z5ZU1FrEGiANMMgZNbvTTs7Jny3K7IuJTKNhxK2is6uV1hoaAENdQaFdfpRMbHmgOVJcrocRIPzzod5MJlTUNQjPqyLuiQMndrnLPd+tn1VCoJwzNW54nAWBNFrVZJB3DdcA1GXYMqpe8UdwaaCn5AvMV6YJnE3swOEvgRypU
-----END CERTIFICATE-----

- Click on 'Download Certificate' and save to a file (e.g server.crt)

- Select the 'Home' tab and then select 'click here to download the Certificate Authority certificate to your file system' and save to a file (e.g rootca.crt).
This is the rootCA that has to be loaded in the wallet.

6. Load the root CA and server certificate into the wallet.
In Wallet Manager select Operations -> Import Trusted Certificate.

- It will then ask you if you want to Paste the certificate or load from a file. Choose 'Select a file that contains a certificate'.

- Select the file server.crt and select OK.

- At this point, the Wallet Manager may complain that the Trusted CA Root Certificate does not exist in the wallet. It will ask if you want to import it now. Select Yes.

- Locate 'Select a file that contains a certificate' and select the rootca.crt file.

- If this completes successfully you should see Certificate:[Ready] and the Oracle Certificate Authority Root certificate will appear in the list of trusted certificates.

- If you desire Oracle HTTP Server to AutoLogin to the Wallet, then select AutoLogin. (Oracle Wallet Manager must have been started as the owner of the httpd parent process in order for this to work).

- From the menu, select File -> Save. Save the Wallet in a directory.
Note : After Certificate has been signed :
Import rootca.crt as trusted CERT.
Import server.crt as user CERT.

STEP II: Configuring Oracle HTTP Server (OHS)
=========================================================================
Starting in Oracle Application Server 10G, all SSL related directives are stored in $ORACLE_HOME/Apache/Apache/conf/ssl.conf.

1. Please review the default directives in the ssl.conf file that relate to SSL by opening the file in a text editor and search on "SSL". If you have not already done so, please make a back up of this file. Do NOT hand edit this file without reading the precautions in the 10G Documentation. You should use the Enterprise Manager (EM) Application Server Control to modify this file:
Farm > Application Server: sid.host.domain > HTTP Server > Administration Tab> Advanced Server Properties > Edit ssl.conf.

2. For SSL to work, the SSL 'listen' port must match the "VirtualHost _default_" directive within the file. All other SSL parameters are set to the default, and you can modify at a later time, depending on your needs.
---
## SSL Support
Listen 4446
#4446 is the SSL port number.
## ...
## Further down in file:
<VirtualHost default:4446>
---
For the purposes of a basic SSL configuration, you should only need to change the following directives:
SSLWallet
SSLWalletPassword

3. Change the SSLWallet directive to the path where you saved your wallet, i.e: SSLWallet file:/tmp/wallet
- If you did not select AutoLogin, then you need to change the SSLWalletPassword to your clear text Wallet password by adding the following into your ssl.conf
SSLWalletPassword <yourPassword>
- If you wish to encrypt the SSLWalletPassword refer to the following:
[NOTE:184677.1] - How to Use IASOBF to Encrpyt a Wallet Password Within 9iAS Release 2.
- Save the configuration
- Run dcmctl updateconfig -ct ohs if you did not use EM Application Server Control and used a text editor to update the file.

STEP III: Modifying opmn.xml to allow OHS with SSL
=========================================================================
By default, SSL is turned off in HTTP Server for Oracle Application Server 10G.In order for SSL to work you must update the opmn.xml file to re-enable SSL.

1. Do NOT hand edit this file without reading the precautions in the 10G documentation. You should use the Enterprise Manager (EM) Application Server Control to modify this file: Farm > Application Server: sid.host.domain > Process Management.

2. Edit the ORACLE_HOME/opmn/conf/opmn.xml and change ssl-disabled to ssl-enabled,
e.g:
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>

3. Save the changes

4. Run dcmctl updateconfig -ct opmn if you did not use EM Application Server Control and used a text editor to update the file.

5. Run opmnctl reload

6. Restart the Oracle HTTP Server

7. Test a URL to Oracle HTTP Server in SSL mode: https://<host.domain>:<port>
Note : After the restart of the Oracle HTTP Server, if you can’t access the site in SSL mode, restart the entire opmn process by issuing:

##### For Forms, you must change the JPI download page to use https instead of http in the $ORACLE_HOME/forms/server/formsweb.cfg file otherwise you’ll get “Page contains both secure and non-secure items” warning.
#####

Opmnctl stopall
Opmnctl startall
Then retry.
mseberg
There are additional notes here :

Note: 228638.1 - How to configure SSL Communication between SSO Server and OiD in 9iAS Release 2


If the above does not help, then please review the following:

Note: 300723.1 - OWM Import User Certificate Key Error

OR

http://www.entrust.net/knowledge-base/technote.cfm?tn=6220

mseberg
fabian
hi Manikandan,

The installation consists of three main parts:

a) Importing the Primary Root CA
b) Import the Intermediate Certificate and Cross Certificate
c) Installing your SSL123 certificate

a) Importing the Primary Root CA

1. Launch Oracle Wallet Manager.
2. Click Operations and select Import Trust Certificates from the menu
3. When the Import Trusted Certificate window appears, click Paste the Certificate and click OK.
4. When the message "Please provide a base64 format certificate and paste it below" appears, paste the entire contents of Primary Root CA text into the box and click OK.
5. A message should appear that the import was successful and you will see the Root Certificate at the bottom of the Trusted Certificates tree.

b) Importing the Intermediate and Cross certificates

1. Launch the Oracle Wallet Manager.
2. Click Operations > Import Trust Certificates from the menu.
3. When the Import Trusted Certificate window appears, click Paste the Certificate and click OK.
4. When the message "Please provide a base64 format certificate and paste it below" appears, paste the entire contents of the Intermediate Certificate text into the box and click OK.
5. A message should appear that the import was successful and you will see the Intermediate Certificate at the bottom of the Trusted Certificates tree.
6. Repeat the same steps for the Cross certificate

c) Importing your SSL123 certificate

1. Click Operations > Import User Certificate from the menu bar.
2. The Import Certificate dialog appears.
3. Select the Paste the Certificate radio button, and click OK.
4. The Import Certificate dialog appears.
5. Paste the entire contents of your SSL123 Certificate file and click OK.
6. A message should show that the certificate was imported successfully.
7. When you return to the main window, wallet status should show "Ready."

The below link will also thro some light

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO5294

For this error *"certificate import has failed because the ca certificate does not exist"* hope the below link will help ya

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO5535

Regards
Fabian
858986
Hi mseberg,

Thanks for your valuable informations and the steps...
But still i am not able to import the user certificate. Keep on giving the error *"User certificate import failed because the CA certificate does not exist, Do you want to import CA certificate now?"* . I tried the below steps:

Downloaded the root CA from Verisgn for Secure Site and Imported to IE and exported in x.509 format. Then i copied to server and tried to import the rootCA. No luck.

Instead of root CA , tried the same with Primary and Secondary Intermediate CA... But Same error....

I am not getting where is the issue? With OWM or Certificates ? Can i have any other option (openSSL etc)..? i dont know at this stage i can use openSSL or any other tools?

But i tried with default wallet.. its working fine....

Note: --- Oracle's PKI team has sent only one certificate (user certificate).

Please let me know any suggestion on this...

Thanks,
Manikandan

Edited by: user13319360 on May 25, 2011 4:26 AM
fabian
Hi Manikandan,

As mseberg as specified in metalink 300723.1 - OWM Import User Certificate Key Error,
it states
Cause

The Root CA is missing. Wallet Manager is giving the end user an opportunity to import missing Root CA for the issuer of the user certificate being imported.

Fix

1. Determine who the issuer is for the user certificate.

2. Get the Root CA for that issuer.

3. Import the Root CA while importing the user certificate. It will be the second requested file during the user import process.

So try getting the root CA from Verisgn again..And then give a try

Regards
Fabian
858986
Hi Fabian,

The Oracle (not Verisgn's) Doc says:

The trust chain for your newly issued SSL certificate (a.k.a. leaf certificate or end entity certificate) is as follows (top to bottom, root to leaf):

1. VeriSign Class 3 Public Primary Certification Authority - G3

Available for download from VeriSign/Symantec (listed as Root 4, but please doublecheck the DN)

2. Oracle SSL CA

3. End entity SSL certificate (your newly issued certificate)

Note: VeriSign's public primary root CA certificate (1) can be expected to be pre-installed in reasonably recent versions of server software. If it isn't, it should be manually installed as a trusted CA certificate prior to installing the other two certificates in the chain. After that is done, one should install the certificate of the issuing SSL CA (2). You might have already received the two CA certificates from Oracle's GIT PKI team.

I went to particular link and downloaded the respective rootCA (VeriSign Class 3 Public Primary Certification Authority - G3). Tried this so many times..

Am i missing something?

Thanks,
Manikandan
1 - 8
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jun 22 2011
Added on May 24 2011
8 comments
6,865 views