Unable to remove Trust Certificate chain
It's been long time posting blogs
Using this note you can accomplish many things
1) Remove any trusted cert's from Oracle Wallet/Keystore
2) Remove a certificate chain from UserCertificate
3) Display/List the certificates in wallet/keystore
4) Add certificates to wallet/keystore
5) Convert JKS to Wallet
6) Convert Wallet to JKS
7) orapki commands
8) keytool commands
Ref:
Followed Oracle Notes Doc ID -- Note 2275107.1, 2405429.1, ChainCert
One of my trusted cert (intermediate) in the chain has expired. Following is the process I used to resolve the issue.
1)
Opened Oracle Wallet, tried deleting by right clicking on the certificate "Trusted certificate in use, deletion failed" Note 2275107.1
*** After creating the note, I came to know another way is to remove the Original Certificate, and then all the trusted certificates, add the trusted certs back and then Original certificate.
2)
Tried deleting from command line
orapki wallet remove - wallet <location> -trusted_cert -dn 'CN=inter2' -pwd password
PKI-04015: Trusted cert cannon be removed
3) Convert Wallet to JKS
a) To Display what all the certificates in wallet
$ orapki wallet display -wallet <wallet_location>
b) Convert the wallet to JKS
orapki wallet pkcs12_to_jks -wallet <wallet_location> -pwd wallet_pwd -jksKeyStoreloc <path>/ewallet.jks -storepass <passwd>
c) Find the Alias of the TrustCert using keytool:
keytool -list -v -keystore <path_to_keystore_file>/ewallet.jks
Alias name: <alias_name>
d) Remove trusted certificate using the alias_name found above.
keytool -delete -alias 'alias_name' -keystore <path_to_keystore_file>/ewallet.jks
e) Run the keytool list command to confirm that the alias_name for the Trusted Certificate is gone.
keytool -list -v -keystore <path_to_keystore_file>/ewallet.jks
4) I Still saw the CertificateChain has the expired entries, googled and found a note
a) First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
b) Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
c) Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "newcert", at this point
openssl pkcs12 -export -in pemfile.pem -name newcert -out new.p12
d) Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
5) Now convert back the JKS to Oracle Wallet
a) Create an empty wallet. This will create a Password Protected Wallet (ie. ewallet.p12 and cwallet.sso)
$MW_HOME/oracle_common/bin/orapki wallet create -wallet <wallet_location> -auto_login
b) Display the wallet contents
orapki wallet display -wallet <wallet_location>
c) Delete any trusted cert (if needed)
orapki wallet remove -wallet <wallet_location> -trusted_cert_all -pwd <wallet_pwd>
d) Convert JKS to a new Oracle Wallet
orapki wallet jks_to_pkcs12 -wallet <wallet_location> -pwd <wallet_pwd> -keystore <path_to_keystore_file>/ewallet.jks -jkspwd jks_pwd
6) To Add a trusted Cert to JKS or Wallet
orapki wallet add -wallet <location> -trusted_cert -cert newTrust.cer
keytool -import -file newTrust.cer -trustcacerts -alias newTrust -keystore ewallet.jks
Using this note you can accomplish many things
1) Remove any trusted cert's from Oracle Wallet/Keystore
2) Remove a certificate chain from UserCertificate
3) Display/List the certificates in wallet/keystore
4) Add certificates to wallet/keystore
5) Convert JKS to Wallet
6) Convert Wallet to JKS
7) orapki commands
8) keytool commands
Ref:
Followed Oracle Notes Doc ID -- Note 2275107.1, 2405429.1, ChainCert
One of my trusted cert (intermediate) in the chain has expired. Following is the process I used to resolve the issue.
1)
Opened Oracle Wallet, tried deleting by right clicking on the certificate "Trusted certificate in use, deletion failed" Note 2275107.1
*** After creating the note, I came to know another way is to remove the Original Certificate, and then all the trusted certificates, add the trusted certs back and then Original certificate.
2)
Tried deleting from command line
orapki wallet remove - wallet <location> -trusted_cert -dn 'CN=inter2' -pwd password
PKI-04015: Trusted cert cannon be removed
3) Convert Wallet to JKS
a) To Display what all the certificates in wallet
$ orapki wallet display -wallet <wallet_location>
b) Convert the wallet to JKS
orapki wallet pkcs12_to_jks -wallet <wallet_location> -pwd wallet_pwd -jksKeyStoreloc <path>/ewallet.jks -storepass <passwd>
c) Find the Alias of the TrustCert using keytool:
keytool -list -v -keystore <path_to_keystore_file>/ewallet.jks
Alias name: <alias_name>
d) Remove trusted certificate using the alias_name found above.
keytool -delete -alias 'alias_name' -keystore <path_to_keystore_file>/ewallet.jks
e) Run the keytool list command to confirm that the alias_name for the Trusted Certificate is gone.
keytool -list -v -keystore <path_to_keystore_file>/ewallet.jks
4) I Still saw the CertificateChain has the expired entries, googled and found a note
a) First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
b) Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
c) Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "newcert", at this point
openssl pkcs12 -export -in pemfile.pem -name newcert -out new.p12
d) Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
5) Now convert back the JKS to Oracle Wallet
a) Create an empty wallet. This will create a Password Protected Wallet (ie. ewallet.p12 and cwallet.sso)
$MW_HOME/oracle_common/bin/orapki wallet create -wallet <wallet_location> -auto_login
b) Display the wallet contents
orapki wallet display -wallet <wallet_location>
c) Delete any trusted cert (if needed)
orapki wallet remove -wallet <wallet_location> -trusted_cert_all -pwd <wallet_pwd>
d) Convert JKS to a new Oracle Wallet
orapki wallet jks_to_pkcs12 -wallet <wallet_location> -pwd <wallet_pwd> -keystore <path_to_keystore_file>/ewallet.jks -jkspwd jks_pwd
6) To Add a trusted Cert to JKS or Wallet
orapki wallet add -wallet <location> -trusted_cert -cert newTrust.cer
keytool -import -file newTrust.cer -trustcacerts -alias newTrust -keystore ewallet.jks