Secure Oracle mTLS with Custom Wallets
A hands-on guide to configuring Oracle wallets for secure mutual TLS (mTLS) connections using existing PEM keys and certificates with OpenSSL and orapki.
A few days ago, I configured an Oracle wallet to establish mutual TLS (mTLS) connections for a client.
Mutual TLS is a more secure variation of TLS where both the client and the server authenticate each other using certificates.
It's widely used in environments where secure, authenticated communication is critical — such as APIs between internal services or business partners.
In this post, I'll walk you through the steps I used to configure an Oracle wallet from an existing private key and certificates using OpenSSL and orapki.
This method is especially useful when you're provided with PEM-format certificates and keys and need to get them into a format Oracle can use.
1. Generate a P12 File with OpenSSL
The first step is to combine the private key, public certificate, and the root CA into a single .p12 file (PKCS#12), which Oracle tools can import:
openssl pkcs12 -export \
-in /u01/app/oracle/product/19.0.0/orcl/wallet/yourapi.domain.com.crt \
-inkey /u01/app/oracle/product/19.0.0/orcl/wallet/yourapi.domain.com.key \
-certfile /u01/app/oracle/product/19.0.0/orcl/wallet/rootca.crt \
-out openssl.p12You'll be prompted to set a password for this file. Keep it handy — you'll need it in the next steps.
2. Create a Wallet with Auto Login
Use orapki to create the wallet directory and enable auto-login, which allows the Oracle DB to use the wallet without needing a password at runtime:
orapki wallet create \
-wallet /u01/app/oracle/product/19.0.0/orcl/wallet \
-pwd <PASSWORD> \
-auto_loginReplace <PASSWORD> with your secure wallet password.
3. Import the P12 File into the Wallet.
Now, import the .p12 file you created using OpenSSL:
cd /u01/app/oracle/product/19.0.0/orcl/wallet
orapki wallet import_pkcs12 -wallet . -pkcs12file openssl.p12This will extract the private key and certificates into the Oracle wallet format.