Getting No self-signed cert in chain error while using orapki wallet jks_to_pkcs12 -wallet

Question

I got the CA signed certificates and tried to import into the Oracle Wallet Manager for OHS SSL. Private Key and certificate request is generated using open ssl and so we have to create the pkcs12 cert first using the below -

openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12

After that i converted this to JKS using below -

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

and then imported the Intermediate certs in the JKS. After that when i am trying to convert jks to pkcs12 again using -

mw_home\oracle_common\bin\orapki wallet jks_to_pkcs12 -wallet ./ -pwd "mypassword" -keystore ./mykeystore.jks -jkspwd "mypassword"

I am getting the error - Exception : java.io.IOException: No self-signed cert in chain .

We are not using any self-signed certificate so wondering from where we are getting this issue.

I tried using the p12 keystore that i created in the very first step but there is no certificate request or certificates getting displayed in Oracle Wallet.

Please suggest what is wrong I am doing or is there any best way to import certificates in Oracle Wallet.

Answer 1

why did you use keytool to import intermediate certifcates and not orapki?

orapki wallet add -wallet -cert trustedcerts.crt -trusted_cert

Answer 2

You don't need to bother creating a JKS file. Oracle wallets are valid PKCS12 files. Just create a PEM file with full certificate chain (your private key, your cert, and the full certificate chain in a single file), then run

openssl pkcs12 -export -in certchain.pem -out ewallet.p12

The name 'ewallet.p12' is important. That is Oracle's requirement. Put this file in your wallet directory, then run

orapki wallet create -wallet . -pwd your_pass -auto_login

to create the cwallet.sso file.