ORDS Standalone: Configure SSL Certificate Chain
This post describes the process for installing an SSL certificate chain in ORDS running in Standalone mode.
Prerequisites:
- One instance certificate
- Certificate file in text format
- Certificate private key file
- Intermediate certificate in text format
Overview:
- Combine the two certificates into a single file
- Create a PKCS12 key from the two certificates
- Convert the PKCS12 key to DER format
# Set variables
PASSWORD="MySecret123"
HOSTNAME="myhost.domain.com"
KEY="my_certificate.key" #provided by certificate authority
IDENTITY_CRT="my_certificate.crt" #provided by certificate authority
INTERMEDIATE_CRT="my_intermediate_certificate.crt" #provided by certificate authority
# Write a passwordfile
echo "${PASSWORD}" > passfile
# Concatenate the identity and intermediate certificates. Order matters!
cat ${IDENTITY_CRT} ${INTERMEDIATE_CRT} > ${HOSTNAME}.chain.crt
# Combine certificates and private key into a .p12 file.
openssl pkcs12 \
-export \
-inkey ${KEY} \
-in ${HOSTNAME}.chain.crt \
-out ${HOSTNAME}.chain.p12 \
-password pass:${PASSWORD}
# Convert certificate key to DER format for ORDS
openssl pkcs8 \
-topk8 \
-inform P12 \
-outform DER \
-in ${HOSTNAME}.chain.p12 \
-out ${HOSTNAME}_key.der \
-nocrypt \
-passin file:passfile
# Remove passfile
rm passfile
Update the ORDS standalone.properties file by placing the certificate and key names in the appropriate spots:
# SSL Configuration
jetty.secure.port=443
ssl.cert=/path/to/myhost.domain.com.chain.crt
ssl.cert.key=/path/to/myhost.domain.com_key.der
ssl.host=myhost.domain.com
Restart ORDS and validate results.
To validate the certificates, you can examine them with the following command. It shows the raw text of the certificates, which you can compare with the ones provided by the certificate authority.
openssl s_client -showcerts -connect myhost.domain.com:443
Big thanks to @thatjeffsmith and @btspendo for helping me with this solution.
For a comprehensive Terraform script utilizing this method see the oracle-db-tools GitHub repo.