Import a pfx file in Oracle Wallet

Certificate saved as pfx file

A pfx file is a type of zip file: a pfx file can contain more than one certificate with a relationship. In a pfx file it is listed which certificate you will be using, plus any possible intermediate certificates. In addition, it can contain the private key that belongs with the certificate. To prevent that the contents of the pfx file fall too easily in the wrong hands it can also be secured with a password.

An individual certificate can also be saved as file with the extension “crt” or “cert”. A certificate that is saved as file with the extension “der” contains the same information as a file with the extension “crt”, but then in binary format. As you can see a file with the extension “pfx” has many more possibilites than a file with the extension “crt”.

Oracle Wallet and Oracle PL/SQL

Oracle, as a company, has a years-long tradition not to surrender to the whims of operating system suppliers. That is why programming of Oracle usually works with an abstraction of the concepts that are used in an operating system. Think for example of a “tablespace” as alternative to a “disk” and Oracle Net as network protocol-independent alternative for for example IP or DECnet (click on “like” if you still remember DECnet). Oracle Wallet is the operating system-independent alternative of Oracle for the storage of certificates.

Oracle Wallet is used by the Invantive products Invantive Estate and Invative Vision. In addition to these company solutions for the management of projects the technology-products of Invantive can also work with Oracle Wallet. The Invantive products use Oracle Wallet to request certificates if they make contact with a website or webservice using https. A configuration file with the name “ewallet.p12” is used by Oracle Wallet to save the certificates in. The Oracle Wallet file “ewallet.p12” can be secured with a password. The Oracle Wallet configuration is opened and used from Oracle PL/SQL. If the certificate is not correct, then you will receive a “ORA-29024” error.

Steps for the reading of a pfx file in Oracle Wallet

Many companies that issue certificates use a *.pfx file for this purpose. It is very easy to for example set Microsoft IIS and Apache Tomcat so that they work with a pfx file. This is logical; after all, there can also be a private key in the pfx file so that you can use it to encrypt data for sending and decrypt after receiving by a browser such as Google Chrome. However, you can not import pfx files with Oracle Wallet. Logical again; after all it is only used to make the certificates known for the client in the form of Oracle PL/SQL code.

And yes, the processing of a certificate in Oracle Wallet turns out to take some adjustment if this file is in pfx format. There is not a lot to be found about it on the internet. Sometimes you can find an explanation if you search for the error code “ORA-29024”. Oracle Wallet is rarely needed by the average Oracle administrator. For the purpose of reading a pfx file in an Oracle Wallet configuration, here is the phased plan for Microsoft Windows:

  • Start the Microsoft Management Console (mmc):
  • Add the possibility to edit Certificates by first going to the “File” menu and then choosing “Add/remove snap-in”.
  • Choose “Computer Account”.
  • Choose “Local”.
  • Close the window to add snap-ins.
  • Go to the added snap-in “Certificates”.
  • Read the pfx file if you haven’t done this already to execute the Invantive Webservice through https.
  • Right click on the personal certificate which you want to transfer to Oracle Wallet.
  • Choose for “All tasks” and then “Export”.
  • Choose “Next”.
  • Choose “No, do not export the private key” and “Next”.
  • Choose “DER encoded binary” and “Next”.
  • Indicate a file name for the file where the certificate is supposed to be in. And choose “Next”.
  • Check the summary.
  • Choose “Finish”.

Thanks to the possibilities of Windows you have the certificate that you wish to retrieve from the pfx file and have transferred it to a file with the extension “der”. However, you aren’t there yet. The certificates of the most providers of certificates are not standard available in Oracle Wallet. That is why you also need to read the certificates that are in between your own certificate and the certificates already known in Oracle Wallet. Do this as follows:

  • Right click on the certificate that you have just exported.
  • Choose “Open”.
  • Choose the tab “Certification Path”.
  • Repeat the next steps for each certificate above your own certificate:
  • Click on intermediate certificate.
  • Click on “View Certificate”.
  • Click on tab “Details”.
  • Click on the button “Copy to File…”.
  • Run through the wizard again and save this certificate as der-file.

Next we will add the certificates to the Oracle Wallet configuration file:

  • Start Oracle Wallet Manager through the start menu to read the certificates as der-files.
  • We usually place a configuration file in a folder with the name “pfile” outside the Oracle software tree, for example “i:\pfile”. This is the same folder as indicated in the profile options bubs-auth-http-beurs-locatie and bubs-auth-ldap-beurs-locatie of the company solutions of Invantive. Enter the password of the Oracle Wallet configuration file “ewallet.p12”. This is the same password as you have listed with the company solutions of Invantive at the profile options bubs-auth-http-beurs-wachtwoord and bubs-auth-ldap-beurs-wachtwoord.
  • Repeat the next steps for every der-file that you have made.
  • Right click on “Trusted Certificates”.
  • Choose “Import Trusted Certificate…”.
  • Choose “Select a file that contains the certificate” and then “OK”.
  • Choose the file that contains the certificate in DER-file.
  • The pfx certificate is now in Oracle Wallet.
  • Choose “Wallet” in the menu and then “Save” to save the configuration file with the certificate from the pfx file.
  • Close Oracle Wallet.
  • Test the operation from Oracle PL/SQL.

If you have installed the certificate properly, then you will no longer get the ORA-29024 error. If you get a “ORA-28759” instead (opening file failed), then you have run into a remarkable property of Oracle Wallet: Oracle Wallet automatically adepts the rights on the ewallet.p12 configuration file if you save it. All rights are removed and only the current user will have access. To solve the “ORA-28759” you open the folder in which ewallet.p12 is located using Windows Explorer. Then choose “Properties”, “Security”, “Advanced” and choose to take over the transferable securities of the folder (checkbox below).