I Lost My ORAPKI Wallet Password—Now What?

Usually, you will face this issue when one of your certificates expires and you need to add a new one. When you try to, it gives you a message asking for a password, but you don't know. What to do then?

The goal is to add the new certificate without changing the other ones that you have there and are working fine (not expired), but first, let’s briefly explain what the ORAPKI is.

ORAPKI is a tool part of Oracle Wallet Manager and can be used to work with Oracle Public Key Infrastructure (PKI), which handles key-based security and certificates.

Here are some of the main functionalities of ORAPKI:

Wallet Creation: ORAPKI allows you to create new wallets that act as secure repositories to store private keys, certificates, and other security artifacts. These wallets are used to configure the security of various Oracle components, such as databases, application servers, and other applications that require authentication and encryption.

Certificate Management: With ORAPKI, you can add, remove, or list digital certificates in a wallet. Digital certificates are used to authenticate the identities of participants in encrypted communication.

Generation of Self-Signed Keys and Certificates: ORAPKI can be used to generate private keys and self-signed certificates. These certificates are useful in development or testing environments where a certificate from a trusted Certificate Authority (CA) is not required.

Certificate Format Conversion: The tool can be used to convert certificates between different formats, enabling interoperability with other systems and applications.

Message Signing and Verification: ORAPKI can digitally sign messages using a private key stored in the wallet and verify the signature using the corresponding public key.

CRL (Certificate Revocation List) Creation: ORAPKI allows the creation of Certificate Revocation Lists, which contain information about certificates that have been revoked before their expiration.

Export and Import of Wallets: ORAPKI enables exporting an entire wallet or parts of it to a file, making it easier to back up and migrate the key and certificate structure.

When you have to create a wallet, you need to configure a password for it, and it is required every time you need to access or modify your wallet. There is a parameter called auto_login that will not ask you for the password in case you need to open the wallet or view the certificates, but if you try to change the wallet, such as adding a new certificate, you still have to put in your password. There is also another option, which is the auto_login_only parameter. This one will allow you to access and change the wallet without asking you for a password. Just be careful when using this feature because anyone with access to the server can change your wallet. I strongly recommend using just the auto_login without the _only at the end.

In case you don’t have the password for your current wallet and you need to add more certificates to it (this is a common thing, as the certificates expire), you will need to follow these steps in order to recreate your wallet, keeping all the current certificates and then adding the new one.

The first step is to find where your wallet is, because you will need to save your current certificates from it. Exporting the certificates is only possible if your wallet was created with the auto_login option; otherwise, if you don’t have the password, you won’t be able to see what you have inside of the wallet.

Configure your database variables (in my case, my database is oradb02):

$ . oraenv <<< oradb02

Then run this command (There is no default for the wallet location, but I usually put it on $ORACLE_BASE/admin/<DBNAME>/wallet):

$  orapki wallet display -wallet <wallet_location>

If it asks you for a password, you won’t be able to save the current certificates, and you will need to create a new empty wallet and ask these certificates for the application/security teams so you can import them back. But this is a tough and risky operation because you will never know how many certificates you had before or what they were used for.

If you are able to run this command and it shows you an output like the one below, it means that your wallet was created with the auto_login feature, and you will be able to export the current certificates.

$ orapki wallet display -wallet <wallet_location>
Oracle PKI Tool : Version 12.2.0.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Trusted Certificates:

Subject:        CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
Subject:        OU=Secure Server Certification Authority,O=Data Security\, Inc.,C=US

Now you will need to export the current certificates from your wallet to a text file, one by one. 

Create a location to export the certificates:

$ mkdir -p /home/oracle/certificates

Export all your current certificates, one by one:

orapki wallet export -wallet /u01/app/oracle/admin/Prod/wallet -dn "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US" -cert /home/oracle/certificates/UserTrustNet.crt

orapki wallet export -wallet /u01/app/oracle/admin/Prod/wallet -dn "OU=Secure Server Certification Authority,O=Data Security\, Inc.,C=US" -cert /home/oracle/certificates/SecureServerCertAut.crt

Create a backup folder for your current wallet:

$ mkdir -p <wallet_location>/backup 

Move the current wallet files to the backup folder (it will remove the current wallet, no additional commands are needed):

$ mv <wallet_location> <wallet_location>/backup 

    Then create the new wallet with your new password (I’m using the auto_login feature in the example below).

$ orapki wallet create -wallet <wallet_location> -pwd <password> -auto_login

    Now you can import your old certificates back to it and also add the new ones if you like to.

$ orapki wallet add -wallet <wallet_location> -trusted_cert -cert "/home/oracle/certificates/UserTrustNet.crt" -pwd <password>  

$ orapki wallet add -wallet <wallet_location> -trusted_cert -cert "/home/oracle/certificates/SecureServerCertAut.crt" -pwd <password>  

$ orapki wallet add -wallet <wallet_location> -trusted_cert -cert "<new_cert_file>" -pwd <password>  

After that, you can remove the certificates from the machine if you want, and Oracle will keep the hash inside the wallet.

Lastly, save your wallet password somewhere safe.

In summary: 

• Display the current wallet certificates
• Export all of them, one by one to files in a folder
• Move the current wallet files to a backup folder
• Create a new wallet
• Import the old certificates to this new wallet
• Add the new certificates to this new wallet