Import a pfx file in Oracle Wallet

Certificate saved as pfx file

A pfx file is a type of zip file: a pfx file can contain more than one certificate with a relationship. In a pfx file it is listed which certificate you will be using, plus any possible intermediate certificates. In addition, it can contain the private key that belongs with the certificate. To prevent that the contents of the pfx file fall too easily in the wrong hands it can also be secured with a password.

An individual certificate can also be saved as file with the extension “crt” or “cert”. A certificate that is saved as file with the extension “der” contains the same information as a file with the extension “crt”, but than in binary format. As you can see, a file with the extension “pfx” has many more possibilities than a file with the extension “crt”.

Oracle Wallet and Oracle PL/SQL

Oracle, as a company, has a years-long tradition not to surrender to the whims of operating system suppliers. That is why programming of Oracle usually works with an abstraction of the concepts that are used in an operating system. Think of a “tablespace” for example as an alternative to a “disk” and Oracle Net as a network protocol-independent alternative for for example IP or DECnet (click on “like” if you still remember DECnet). Oracle Wallet is the operating system-independent alternative of Oracle for the storage of trusted certificates.

Oracle Wallet is used by the Invantive products Invantive Estate and Invantive Vision. In addition to these company solutions for the management of projects, the technology-products of Invantive can also work with Oracle Wallet. The Invantive products use Oracle Wallet to request certificates if they make contact with a website or webservice using https. A configuration file with the name “ewallet.p12” is used by Oracle Wallet to save the certificates in. The Oracle Wallet file “ewallet.p12” can be secured with a password. The Oracle Wallet configuration is opened and used from Oracle PL/SQL. If the certificate is not correct, then you will receive an “ORA-29024” error.

Steps for loading a pfx certificate file in Oracle Wallet

Many companies that issue certificates use a *.pfx file for this purpose. It is - for example - very easy to configure Microsoft IIS and Apache Tomcat such that they work with a pfx file containing the private key and public key of a certificate, plus all certificates along the path. This is logical; after all, there can also be a private key in the pfx file so that you can use it to encrypt data for sending, and decrypt after receiving by a browser such as Google Chrome. However, you can not import pfx files with Oracle Wallet. Logical again; after all it is only used to make the certificates known for the client in the form of Oracle PL/SQL code.

And yes, the processing of a certificate in Oracle Wallet turns out to take some adjustment if this file is in pfx format. There is not a lot to be found about it on the internet. Sometimes you can find an explanation if you search for the error code “ORA-29024”. Oracle Wallet is rarely needed by the average Oracle administrator.

Store certificate as PFX file

Execute the following steps to store the certificate as a pfx file for later loading into the Oracle Wallet:

  • Start the Microsoft Management Console (mmc):
    mmc-snap-in
  • Add the possibility to edit Certificates by first going to the “File” menu and then choosing “Add/remove snap-in”.
  • Choose “Computer Account”.
    mmc-add-snap-in-certificate
  • Choose “Local”.
  • Close the window to add snap-ins.
  • Go to the newly added snap-in “Certificates”.
  • Right click on the trusted certificate which you want to transfer to Oracle Wallet.
  • Choose for “All tasks” and then “Export”.
    wizard-certificate-export
  • Choose “Next”.
  • Choose “No, do not export the private key” and “Next”.
    export-private-key
  • Choose “DER encoded binary” and “Next”.
    der-encoded-binary-certificate
  • Indicate a file name for the file where the certificate is supposed to be in. And choose “Next”.
    filename-certificate-export
  • Check the summary.
    overview-certificate-export
  • Choose “Finish”.

Thanks to the possibilities of Windows you have the certificate that you wish to retrieve from the pfx file and have transferred it to a file with the extension “der”. However, you aren’t there yet. The certificates of most of the providers of certificates are not available by standard in Oracle Wallet. That is why you also need to read the certificates that are in between your own certificate and the certificates already known in Oracle Wallet. Do this as follows:

  • Right click on the certificate that you have just exported.
  • Choose “Open”.
  • Choose the tab “Certification Path”.
  • Repeat the next steps for each certificate above your own certificate:
  • Click on intermediate certificate.
  • Click on “View Certificate”.
  • Click on tab “Details”.
  • Click on the button “Copy to File…”.
  • Run through the wizard again and save this certificate as der-file.

Import Certificates into the Oracle Wallet

Next we will add the certificates to the Oracle Wallet configuration file:

  • Start Oracle Wallet Manager through the start menu to read the certificates as der-files.
  • We usually place a configuration file in a folder with the name “pfile” outside the Oracle software tree, for example “i:\pfile”. This is the same folder as indicated in the profile options bubs-auth-http-beurs-locatie and bubs-auth-ldap-beurs-locatie of the company solutions of Invantive. Enter the password of the Oracle Wallet configuration file “ewallet.p12”. This is the same password as you have listed with the company solutions of Invantive at the profile options bubs-auth-http-beurs-wachtwoord and bubs-auth-ldap-beurs-wachtwoord.
  • Repeat the next steps for every der-file that you have made.
  • Right click on “Trusted Certificates”.
  • Choose “Import Trusted Certificate…”.
  • Choose “Select a file that contains the certificate” and then “OK”.
    select-file-with-certificate-in-oracle-wallet
  • Choose the file that contains the certificate in DER-file.
    oracle-wallet-choose-certificate-to-import
  • The pfx certificate is now in Oracle Wallet.
  • Choose “Wallet” in the menu and then “Save” to save the configuration file with the certificate from the pfx file.
  • Close Oracle Wallet.
  • Test an operation from Oracle PL/SQL requiring the trusted certificate to be present in the wallet.

If you have installed the certificate properly, then you will no longer get the ORA-29024 error.

ORA-28759

If you get a “ORA-28759” instead:

ORA-28759: opening file failed

then you have run into a remarkable property of Oracle Wallet: Oracle Wallet automatically adapts the rights on the ewallet.p12 configuration file if you save it. All rights are removed and only the current user will have access.

Execute the following steps to solve the “ORA-28759” error:

  • Open the folder in which the ewallet.p12 file is located using Windows Explorer.
  • Then choose “Properties”, “Security” and “Advanced”.
  • Finally choose to inherit the privileges from the folder.