How to Use/Convert an ODSEE CA-Signed Certificate Chain to Use in an OUD PKCS12 Keystore (Doc ID 2657916.1)

Last updated on JULY 10, 2023

Applies to:

Oracle Unified Directory - Version 12.2.1.3.0 and later
Oracle Directory Server Enterprise Edition - Version 11.1.1.7.190716 and later
Information in this document applies to any platform.

Goal

By default, OUD uses Java Keystores/Truststores.

When using keytool -list this Warning is given -

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore <KEYSTORE> -destkeystore <KEYSTORE> -deststoretype pkcs12".

This document shows how to use / convert an ODSEE CA-signed certificate chain to use in an OUD PKCS12 keystore

Create the ODSEE certificate chain which consists of a -
- CA-signed server cert
- CA cert
Verify that ldapsearch is successful using the ODSEE cert DB (which contains the certificate chain)
Using pk12util, create the PKCS12 file using the ODSEE cert DB
Create a new OUD instance and configure the OUD LDAPS Connection Handler to use the PKCS12 Key Manager Provider with the PKCS12 file
Verify that ldapsearch is successful using the PKCS12 file
Configure the OUD Administration Connector to use the same PKCS12 file
Test the OUD Administration Connector using ldapsearch and dsconfig

Solution

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

Create the ODSEE certificate chain

- Create a new certificate DB for the ODSEE CA cert

- Create the CA cert

- Create a server certificate request

- Sign the certificate request using the CA cert created

- Export the CA cert to a pem file

- Add server cert and CA cert to ODSEE cert db

- List certs and their Certificate Nicknames (aliases) in the ODSEE certificate DB

- Check that the new server cert alias is configured

Verify that ldapsearch is successful against ODSEE

Using pk12util Create the PKCS12 file

- Error when running pk12util - "find user certs from nickname failed: SEC_ERROR_BAD_DATABASE: security library: bad database."

- Modify pk12util command to specify the ODSEE cert DB directory pre-pended with "sql:"; Output to PKCS12 file (serverCert.p12)

- List certs in PKCS12 file (serverCert.p12) which contains one certificate

- List in verbose mode with keytool (-v switch) which shows two certs associated with one alias

Create a new OUD instance

- Create OUD instance using the oud-setup command specifying the usePkcs12keyStore and keyStorePasswordFile options

Test PKCS12 file using ldapsearch

- Error without specifying the trustStorePassword

- Successful when specifying trustStorePassword (using backticks around the cat command)

Using the PKCS12 keystore for the LDAP Administration Connector

LDAP Administration Connector Configuration

Testing PKCS12 file with ldapsearch / dsconfig Commands

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.