I held a live stream for SWEOUG that presented what my last two blogs covered. It was my first ever and while it was a bit uncomfortable to set up to not see your audience it worked well. In fact it was really enjoyable and I look forward to doing more.
In the stream Ilmar Kerm made a few comments about what I said. I was not able to fully grasp it during the stream, but I talked to Ilmar after to find out what if anything was to be corrected and what was just additional info.
The feedback from Ilmar was centered around three parts.
- When I stated the last certificate in the chains of certificates was a root certificate it really wasn’t it was just an intermediate certificate.
- There is no need to download certificates from the website, you’d just look at the chain to know what root you need in your trust store.
- Oracle provides a few certificates out of the box that one might want to remove.
Let’s review these questions in order.
Root Certificate is not sent by the website
If one looks at the chain of certificates from a website you will see the following lines for each certificates, these are the ones for oracle.com for the last one in the list.
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
That means that this certificate is “DigiCert SHA2 Secure Server CA” and it was issued by “DigiCert Global Root CA”. That is the certificate that issued it, the root was not sent to us. Ilmar is correct on this.
However, if we look at the site I used in the demo, example.com the lines for the last certificate looks like this.
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Thus, this is the root certificate. So while it was correct that it is the root, it is not typical. The website does not have to send it and in fact it probably shouldn’t. All places receiving will use their own trust store for what root certificates they will trust and not use the root the website sends.
You only need root
It is true, ask any Linux sysadmin. 🙂
The argument here was that grabbing intermediate certificates off of the website is not needed. All that matters is the root certificate. This for sure sounded strange to me. I was sure I had seen it require to have the intermediate ones loaded in also. Every person I talk to talks of how they grab them from websites using a web browser.
But it is true and some blogs has an update stating this too. I have somehow reread them and not understood that change in the process.
Furthermore, you want to grab the trusted certificate from a source you are comfortable with. So you may use mozilla, I am opting to use what openssl ships with.
To know where you find it with openssl, you use this command.
~ $ openssl version -d OPENSSLDIR: "/private/etc/ssl"
In the path of OPENSSLDIR you will find a file “certs.pem”. In it you’ll find a list of root certificates that ships with openssl. If the one you are looking for is not in this bundle, think twice about adding it from somewhere else. It may be OK, just make sure you know it is secure.
From this file, search for the CN (Common Name) of the cert you want to trust and grab the lines from “—–BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” including those two lines and save it to cert1.txt, just like we did with them from the openssl output in the last blog post.
With that we can now create the wallet we need for the same function as that blog post showed.
orapki wallet create -wallet blogwallet -auto_login -pwd BlogWallet1
orapki wallet add -wallet blogwallet -trusted_cert -pwd BlogWallet1 -cert cert1.txtThat is it, the wallet will now work without adding the intermediate certificate.
Verdict – Ilmar is correct again.
Oracle provides default trusted certificates
A newly created wallet seems to have had these certificates installed.
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
However, I guess that stopped in 12c. I can however not find a note about that change. I see a wallet in my 18c XE being created with no trusted certs to start with.
Verdict – Ilmar is correct again. At least in some versions of Oracle.
Conclusion
Getting feedback i great. Here it took me a few days to work trough and test it out. But I ended up correcting some of my understanding and understanding other bits better for how this works.
Thanks Ilmar for taking the time to provide feedback and reply to my follow up questions as I wrapped my head around what this meant for what I presented and how I do this. In the end it simplifies the process of setting up the wallet considerably.
Pingback: Scripting the Oracle Wallet truststore – Oracle DB Development