For secure database connections you have the choice between native encryption in SQL*Net or you can make use of the industry standard transport layer security (TLS). The latter once was only available with the advanced security option but since some time you don’t need that anymore and can use it even for standard edition licensed databases.

When you start a new project – and of course for any existing infrastructure – you should consider enabling encrypted communication channels. That’s quite standard today for the web and it should be the same for any connection where sensitive data is transferred over a network. Just imagine that any network guy who has access to the raw data stream of your TCP connection could see sensitive datab of a companies CEO when he works with an Oracle database. I suppose that’s not what anybody wants.

Enabling TLS can be quite straight forward if you are able to follow the general guidance and create your own certificate sign request. In one of my customer projects we did that in the past and the certificate delivered by the customers certificate authority worked well for the last year. Some days ago we realized that the end of the latest period was near and we had to deploy a new certificate for our connection manager and the customer in advance sent us new certificates. But when trying to add the new certificate (where we thought that they reused the CSR form last year) we got the following error.

$ orapki wallet add -wallet $PWD -cert 2026-01-20-lb-test-cert.cer -user_cert
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
PKI-04006: No matching private key in the wallet.
Could not install user cert at2026-01-20-lb-test-cert.cer
Please add all trusted certificates before adding the user certificate

The message “Please add all trusted certificates before adding the user certificate” is misleading and would also appear if any root and intermediate CAs would be added to the wallet. So we could ignore that. After some research I found out that the customer sent us a certificate which was associated to private key different from the one we once created for our initial signing request. That couldn’t work at all, even if we tried harder. So we urged that we either get the private key or issue a new CSR and get that one signed. We received the key and tried to import the certificate together with the key. But that failed too because the certificate was in DER format and not in PEM. So we converted it and tried again.

$ orapki wallet import_private_key -wallet $PWD
    -pvtkeyfile 2026-01-20-lb-test-private.key -cert 2026-01-20-lb-test-cert.cer
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Enter private key password:
PKI-07014: Unable to import private key. PKI-04001: Invalid Certificate.

$ openssl x509 -inform DER -in 2026-01-20-lb-test-cert.cer \
    -out 2026-01-20-lb-test-cert.pem

$ orapki wallet import_private_key -wallet $PWD -pvtkeyfile \
    2026-01-20-lb-test-private.key -cert 2026-01-20-lb-test-cert.pem
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Enter private key password:
PKI-07014: Unable to import private key. Header not present in private key

So from that point there were 2 things that could be done next. First, try to find out what key format is required for orapki or maybe try another approach. Looking at the help for the command I wanted to give the import_pkcs12 a try. It looked promising because pkcs12 is a standard format and maybe it was possible for me to use the cert data from the customer to convert it into exactly that. Then it maybe should be possible to import it into our Oracle wallet. So let’s try that.

$ openssl pkcs12 -export -in 2026-01-20-lb-test-cert.pem \
  -inkey 2026-01-20-lb-test-private.key -out 2026-01-20-certstore.p12

$ orapki wallet import_pkcs12 -wallet $PWD -pkcs12file 2026-01-20-certstore.p12
Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:
Enter PKCS#12 file password:
orapki command import_pkcs12 executed successfully.

So that actually worked out quite well and after a verification with orapki display wallet -wallet $PWD the usage of that new certificate was possible. Of course the old certificate was removed via orapki remove wallet -wallet $PWD -dn $DN -user_cert to avoid any confusion. Also, the connection manager had to be restarted for the new certificate to be used.