Skip to main content

Secure Oracle mTLS with Custom Wallets

A hands-on guide to configuring Oracle wallets for secure mutual TLS (mTLS) connections using existing PEM keys and certificates with OpenSSL and orapki.

A few days ago, I configured an Oracle wallet to establish mutual TLS (mTLS) connections for a client.
Mutual TLS is a more secure variation of TLS where both the client and the server authenticate each other using certificates.
It's widely used in environments where secure, authenticated communication is critical — such as APIs between internal services or business partners.

In this post, I'll walk you through the steps I used to configure an Oracle wallet from an existing private key and certificates using OpenSSL and orapki.
This method is especially useful when you're provided with PEM-format certificates and keys and need to get them into a format Oracle can use.

1. Generate a P12 File with OpenSSL

The first step is to combine the private key, public certificate, and the root CA into a single .p12 file (PKCS#12), which Oracle tools can import:

openssl pkcs12 -export \
  -in /u01/app/oracle/product/19.0.0/orcl/wallet/yourapi.domain.com.crt \
  -inkey /u01/app/oracle/product/19.0.0/orcl/wallet/yourapi.domain.com.key \
  -certfile /u01/app/oracle/product/19.0.0/orcl/wallet/rootca.crt \
  -out openssl.p12

You'll be prompted to set a password for this file. Keep it handy — you'll need it in the next steps.

2. Create a Wallet with Auto Login

Use orapki to create the wallet directory and enable auto-login, which allows the Oracle DB to use the wallet without needing a password at runtime:

orapki wallet create \
  -wallet /u01/app/oracle/product/19.0.0/orcl/wallet \
  -pwd <PASSWORD> \
  -auto_login

Replace <PASSWORD> with your secure wallet password.

Back to top