Converting SSL certificate generated by a 3rd party to an Oracle Wallet


Recently a customer asked me how to import his private key and certificate into an Oracle HTTP Server Wallet.

The customer generated a CSR outside the OHS Wallet Manager, using Open SSL, and sent it to a CA to get his certificates issued by them.

Unfortunately, the Wallet Manager only allows you to import certificates which were created for a CSR generated by the Wallet itself.

Despite this minor limitation, there is a workaround to get your private key, certificate and CA trusted certificates chain into Oracle Wallet.

This post explains the simple steps to achieve this, with a little help from Open SSL.

Main Article

What you will need:

  • openssl installed in a machine
  • The server’s certificate (PEM format)
  • The server’s encrypted private key and it’s password
  • The CA root and intermediate certificates (these must be concatenated into a single file, also in PEM format)

On a server with openssl installed, issue the following command:

openssl pkcs12 -export -in certfile -inkey keyfile -certfile cacertfile -out ewallet.p12


certfile: is the server’s certificate
keyfile: is the server’s private key
cacertfile: is the CA’s concatenated root and intermediate certificates.

Note that the resulting file must be named ewallet.p12 in order to be recognized by Oracle Wallet Manager.

Enter the private key’s passphrase when prompted for it.

Enter an export password when prompted for it. You MUST supply a non-blank password. You will need to type it again as verification.

Upload the ewallet.p12 file to the Oracle Application Server. Move it to where the OHS can access it.

Start the Oracle Wallet Manager application.

Under the Wallet menu, click Open.

You will likely receive an error message about the default wallet directory not existing, and asking you if you want to continue. Click Yes.


You will be asked to select the directory where the wallet file is located. Find the directory where you moved the file ewallet.p12 to.

You will be asked for the wallet password. Enter the export password you entered when converting the certificate.

The wallet should open, and the certificate may be displayed as “empty” – don’t worry about that right now. You should also see the CA certificate under “Trusted Certificates”.


Under the Wallet menu, select “Auto Login”. Verify that it was selected by viewing the Wallet menu again; the Auto Login box should now have a check mark.


Under the Wallet menu, select “Exit” to quit the Oracle Wallet Manager application.

Now you should have 2 files in the directory: ewallet.p12 and cwallet.sso. Both files must be together at the same directory so the OHS can access the wallet.

Shutdown OHS.

Modify your OSH ssl.conf (default location should look something like /home/oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1/ssl.conf) so the directive SSLWallet points to the directory where you saved both files, for example:

SSLWallet “${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default”

Start OHS and access its HTTPS home page. Inspect the certificate presented by the browser and you should see your new certificate and the CA chain.



  1. I tried this and got the bad password error…The following resolved it

    You can extract the private key from your current wallet easily

    openssl pkcs12 -in /home/oracle/wallet/ewallet.p12 -nocerts -out private_key.pem

  2. tharvey says:

    not quite…when I select the folder where I placed the wallet, I get a enter password box. After entering the password I get a ‘bad password’ box. Yeah, I went back to the RHEL5-openssl-created files, cert, et al. and recreated the wallet being ‘extra careful’ with the process. Still broke…

  3. This is a very helpful article.
    However, when I try to open the wallet with OWM (step 10), I get the error “The password is incorrect”.
    I have tried re-creating the ewallet.p12 file with different passwords, I have verified the password works with orapki.
    OWM just will not take the export password.
    Any suggestions? Thank you.

  4. Christian Gramsch says:


    thanks for this article, it helped me getting my certificate and keyfile into an Oracle Wallet.

    However, after configuring the webserver to use it, startup fails:

    “Cannot open an encrypted wallet file:/path/to/keystores/default while process is managed by OPMN. Enable it as SSO wallet”

    I have double-checked that Auto-Login is enabled, it is. Also orapki prompts for a password. It seems that the setting is ignored.

    Does anyone have an idea what I could be doing wrong?

    • Christian Gramsch says:

      Issue solved, I think Oracle Wallet Manager did it wrong 🙂

      I just opened it again, created a certificate signing request, saved the wallet, and auto-login works. I then deleted the csr, saved the wallet again, and Auto-Login was still working and cwallet.sso usable by webserver.

Add Your Comment