1

I am creating SSL enabled connection between oracle 11g database (11.2.0.1), and java client using thin client jdbc driver (type 4). We are creating the client/server/root certificates using orapki utility and putting the certificates in oracle wallet.

It seems the default hash algorithm for encryption, when we create certificates using orapki utility (in oracle 11g db) is md5. This was working fine, until we upgraded to jdk1.7 u101. This version of jdk no longer supports MD5. So it seems we need to use SHA-256 as the hash algorithm. I keep getting references that oracle wallet manager 11.2.0.1+ supports SHA-256, but I cannot find any documentation on how to specify SHA-256 as the hash algorithm while creating the certificates.

Is there a way I can generate certificates through orapki/wallet manager with SHA-256 as the hash algorithm?

Improve this question

1 Answer 1

Reset to default
5

You can use orapki with -sign_alg sha256 to sign your certificates with sha256 instead of md5.

For example: Creating a self signed certificate used as the trusted authority

orapki wallet create -wallet ./root -pwd welcome123 -nologo orapki wallet remove -trusted_cert_all -wallet ./root -pwd welcome123 -nologo orapki wallet add -wallet ./root -dn CN=Certification\ Authority\ For\ Testing,\ O=MyCompany,\ C=US -keysize 2048 -self_signed -validity 7300 -pwd welcome123 -sign_alg sha256 -nologo orapki wallet export -wallet ./root -dn CN=Certification\ Authority\ For\ Testing,\ O=MyCompany,\ C=US -cert ./root/rootcertificate.crt -pwd welcome123 -nologo keytool -printcert -file root/rootcertificate.crt orapki wallet display -wallet ./root -pwd welcome123 -nologo

And the output is:

Owner: CN=Certification Authority For Testing, O=MyCompany, C=US Issuer: CN=Certification Authority For Testing, O= MyCompany, C=US Serial number: 0 Valid from: Wed Mar 09 03:35:42 PST 2016 until: Tue Mar 04 03:35:42 PST 2036 Certificate fingerprints: MD5: D1:EB:E4:27:FB:B1:C9:4A:CB:9D:28:A6:5A:C7:E7:20 SHA1: 39:DD:C2:4A:EA:97:BD:47:52:8C:E6:B9:2C:97:F9:F4:A8:A4:5E:85 SHA256: 04:28:19:01:AC:83:C3:69:D0:C9:1C:6A:94:08:B7:31:0C:65:21:7F:8E:FB:19:50:22:02:C4:9C:69:B1:1E:F6 Signature algorithm name: SHA256withRSA Version: 1
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks. Also it seems like the -sign_alg sha256 option works with oracle 11.2.0.3 and up.
-sign_alg is mandatory because orakpi creates certificates with MD5 by default which is incompatible for Java JRE 7 and above environment due to security compromises. Refer helpx.adobe.com/aem-forms/kb/java-update-compatability-md5.html

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.