My Oracle Support Banner

How to Use/Convert an ODSEE CA-Signed Certificate Chain to Use in an OUD PKCS12 Keystore (Doc ID 2657916.1)

Last updated on FEBRUARY 07, 2022

Applies to:

Oracle Unified Directory - Version and later
Oracle Directory Server Enterprise Edition - Version and later
Information in this document applies to any platform.


By default, OUD uses Java Keystores/Truststores.

When using keytool -list this Warning is given -

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore <KEYSTORE> -destkeystore <KEYSTORE> -deststoretype pkcs12".

 This document shows how to use / convert an ODSEE CA-signed certificate chain to use in an OUD PKCS12 keystore


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Create the ODSEE certificate chain
 - Create a new certificate DB for the ODSEE CA cert
 - Create the CA cert
 - Create a server certificate request
 - Sign the certificate request using the CA cert created
 - Export the CA cert to a pem file
 - Add server cert and CA cert to ODSEE cert db
 - List certs and their Certificate Nicknames (aliases) in the ODSEE certificate DB
 - Check that the new server cert alias is configured
 Verify that ldapsearch is successful against ODSEE
 Using pk12util Create the PKCS12 file
 - Error when running pk12util - "find user certs from nickname failed: SEC_ERROR_BAD_DATABASE: security library: bad database."
 - Modify pk12util command to specify the ODSEE cert DB directory pre-pended with "sql:"; Output to PKCS12 file (serverCert.p12)
 - List certs in PKCS12 file (serverCert.p12) which contains one certificate
 - List in verbose mode with keytool (-v switch) which shows two certs associated with one alias
 Create a new OUD instance
 - Create OUD instance using the oud-setup command specifying the usePkcs12keyStore and keyStorePasswordFile options
 Test PKCS12 file using ldapsearch
 - Error without specifying the trustStorePassword
 - Successful when specifying trustStorePassword (using backticks around the cat command)
Using the PKCS12 keystore for the LDAP Administration Connector
 LDAP Administration Connector Configuration
 Testing PKCS12 file with ldapsearch / dsconfig Commands

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.