Home » Oracle » Oracle Ebuisness Suite » How to Create a Minimally Viable Private CA for Jar Signing using OpenSSL

How to Create a Minimally Viable Private CA for Jar Signing using OpenSSL

Sometimes it is not possible to buy the expensive HSHSM-based solution for EBS Jar signing. You can use your own private CA for signing the jar files.

This post gives an overview of creating private CA using OpenSSL command.

One-Time CA Initialization

Create CA Directory

mkdir ~/ebsJarCA
cd ~/ebsJarCA

Create CA Directory Structure

mkdir certs db private
chmod 700 private
touch db/index
openssl rand -hex 16 > db/serial
echo 1001 > db/crlnumber

Create a CA Configuration File

Put the host, domain, port and organization information in the respective section. . if you are going to host the CRL on EBS make sure to use the PRODUCTION URL as that server will be up most of the time

cat > ebsca.conf <<-'EOF'
[default]
name = ebsca
host = <Host for the CRL file>
domain_suffix = <Domain for the CRL file >
port = <HTTP PORT>
aia_url = http://$host.$domain_suffix:$port/$name.crt
crl_url = http://$host.$domain_suffix:$port/$name.crl
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName = "US"
organizationName = "Example"
commonName = "Example EBS JAR Private Root CA R1"

[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3653
default_crl_days = 3653
default_md = sha256
policy = policy_c_o_match

[policy_c_o_match]
countryName = supplied
stateOrProvinceName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext

[ca_ext]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

[crl_info]
URI.0 = $crl_url

[issuer_info]
caIssuers;URI.0 = $aia_url
EOF

Generate private key

openssl req -new \
-config ebsca.conf \
-out ebsca.csr \
-keyout private/ebsca.key

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The generated (ebsca.key) is the private key and must be kept in secure place.

See also  Script to Update a profile for Multiple Users in EBS

Self-sign the root CA certificate

openssl ca -selfsign \
-config ebsca.conf \
-in ebsca.csr \
-out ebsca.crt \
-extensions ca_ext
Enter pass phrase for ./private/ebsca.key:


The generated ebsca.crt is the root CA certificate which the Forms clients must trust.

openssl’s ca command keeps track of issued certificates in the text file db/index

# cat db/index | tr '\t' ' '
V 340105050154Z 66F314E24AC4FDB09BD9912E7108EA8D unknown /C=US/O=Example/CN=Example EBS JAR Private Root CA R2

so far this CA has only signed its own certificate.

Generate (empty) CRL

openssl ca -gencrl \
-config ebsca.conf \
-out ebsca.crl

The generated ebsca.crl is used by clients to check the revocation status of a certificate, without this file there were will be an error launching forms, this file will also be used for EACH EBS instance that shares the code signing certificate, if you are going to host this file on EBS it is best to put on your PRODUCTION node

Create Configuration File for Leaf Certificates (Code Signing)

cat ebsca.conf | sed 's/^copy_extensions.*$/copy_extensions = copy/' > leaf.conf
cat >> leaf.conf <<EOF
[code_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = codeSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
EO

Now Private CA is ready to sign the EBS jar files

How to sign the EBS jar files

As the operator of the private CA, you will receive a Certificate Signing Request in the form of a *.csr (adkeystore.csr) file. Sign to produce a signed code signing certificate using the following command

$ openssl ca -config leaf.conf -extensions code_ext -in adkeystore.csr -out adkeystore.crt


The newly generated adkeystore.crt and existing root (ebsca.crt) will have to be returned to the requestor for import into EBS JAR signing keystore file (adkeystore.dat)

See also  Troubleshooting adpatch/adop failed job

openssl’s ca command keeps track of issued certificates in the text file db/index

[ebsCA]# cat db/index | tr '\t' ' '
V 340105050154Z 66F314E24AC4FDB09BD9912E7108EA8D unknown /C=US/O=Example/CN=Example EBS JAR Private Root CA R2
V 340105050336Z 66F314E24AC4FDB09BD9912E7108EA8E unknown /C=US/ST=California/O=EBS Customer/OU=JAR Sign/CN=EBS Customer

How to Revoke a Certificate

In the unlikely situation that you need to revoke a certificate (invalidate a not yet expired leaf certificate) the following command is used.

$ openssl ca -config ebsca.conf \
-revoke certs/.pem \
-crl_reason keyCompromise

(The -crl_reason can be one of the following unspecified, keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, and removeFromCRL)

Related Articles

Jar Signing in Oracle EBS
EBS Jar signing with HSM Based Certificate

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top