notes/Golden_Gate/distrib_certif_01.md

### Sources

- [OGG Documentation](https://docs.oracle.com/en/middleware/goldengate/core/19.1/securing/securing-deployments.html#GUID-472E5C9C-85FC-4B87-BB90-2CE877F41DC0)
- [Markdown Basic Syntax](https://www.markdownguide.org/basic-syntax/)

### Creating a Self-Signed Root Certificate

Create an automatic login wallet

	orapki wallet create \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;" \
		-auto_login 

 Create self-signed certificate

	orapki wallet add -wallet ~/wallet_directory/root_ca \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;" \
		-dn "CN=RootCA" \
		-keysize 2048 \
		-self_signed \
		-validity 7300 \
		-sign_alg sha256 

Check the contents of the wallet

	orapki wallet display \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;"

Export the certificate to a .pem file

	orapki wallet export \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;" \
		-dn "CN=RootCA" \
		-cert /app/oracle/staging_area/export/rootCA_Cert.pem


### Creating Server Certificates

#### For [exegol] server

Create an automatic login wallet

	orapki wallet create \
		-wallet /app/oracle/staging_area/wallet_dir/exegol \
		-pwd "TabulaRasa32;" \
		-auto_login 

Add a Certificate Signing Request (CSR) to the server’s wallet

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/exegol \
		-pwd "TabulaRasa32;" \
		-dn "CN=exegol.swgalaxy" \
		-keysize 2048

Export the CSR to a .pem file

	orapki wallet export \
		-wallet /app/oracle/staging_area/wallet_dir/exegol \
		-pwd "TabulaRasa32;" \
		-dn "CN=exegol.swgalaxy" \
		-request /app/oracle/staging_area/export/exegol_req.pem

Using the CSR, create a signed server or client certificate and sign it using the root certificate. 
Assign a unique serial number to each certificate.

	orapki cert create \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;" \
		-request /app/oracle/staging_area/export/exegol_req.pem \
		-cert /app/oracle/staging_area/export/exegol_Cert.pem \
		-serial_num 20 \
		-validity 375  \
		-sign_alg sha256

Add the root certificate into the client’s or server’s wallet as a trusted certificate.

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/exegol \
		-pwd "TabulaRasa32;" \
		-trusted_cert \
		-cert /app/oracle/staging_area/export/rootCA_Cert.pem

Add the server or client certificate as a user certificate into the client’s or server’s wallet

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/exegol \
		-pwd "TabulaRasa32;" \
		-user_cert \
		-cert /app/oracle/staging_area/export/exegol_Cert.pem

Check the contents of the wallet

	orapki wallet display \
		-wallet /app/oracle/staging_area/wallet_dir/exegol \
		-pwd "TabulaRasa32;"


#### For [helska] server

Create an automatic login wallet

	orapki wallet create \
		-wallet /app/oracle/staging_area/wallet_dir/helska \
		-pwd "SicSemper81;" \
		-auto_login 

Add a Certificate Signing Request (CSR) to the server’s wallet

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/helska \
		-pwd "SicSemper81;" \
		-dn "CN=helska.swgalaxy" \
		-keysize 2048

Export the CSR to a .pem file

	orapki wallet export \
		-wallet /app/oracle/staging_area/wallet_dir/helska \
		-pwd "SicSemper81;" \
		-dn "CN=helska.swgalaxy" \
		-request /app/oracle/staging_area/export/helska_req.pem

Using the CSR, create a signed server or client certificate and sign it using the root certificate. 
Assign a unique serial number to each certificate.

	orapki cert create \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;" \
		-request /app/oracle/staging_area/export/helska_req.pem \
		-cert /app/oracle/staging_area/export/helska_Cert.pem \
		-serial_num 21 \
		-validity 375  \
		-sign_alg sha256

Add the root certificate into the client’s or server’s wallet as a trusted certificate.

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/helska \
		-pwd "SicSemper81;" \
		-trusted_cert \
		-cert /app/oracle/staging_area/export/rootCA_Cert.pem

Add the server or client certificate as a user certificate into the client’s or server’s wallet

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/helska \
		-pwd "SicSemper81;" \
		-user_cert \
		-cert /app/oracle/staging_area/export/helska_Cert.pem

Check the contents of the wallet

	orapki wallet display \
		-wallet /app/oracle/staging_area/wallet_dir/helska \
		-pwd "SicSemper81;"

### Creating a Distribution Server User Certificate

Create an automatic login wallet

	orapki wallet create \
		-wallet /app/oracle/staging_area/wallet_dir/dist_client \
		-pwd "LapsusLinguae91" \
		-auto_login 

Add a Certificate Signing Request (CSR) to the wallet

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/dist_client \
		-pwd "LapsusLinguae91" \
		-dn "CN=dist_client" \
		-keysize 2048

Export the CSR to a .pem file

	orapki wallet export \
		-wallet /app/oracle/staging_area/wallet_dir/dist_client \
		-pwd "LapsusLinguae91" \
		-dn "CN=dist_client" \
		-request /app/oracle/staging_area/export/dist_client_req.pem

Using the CSR, create a signed certificate and sign it using the root certificate. 
Assign a unique serial number to each certificate.

	orapki cert create \
		-wallet /app/oracle/staging_area/wallet_dir/rootCA \
		-pwd "LuxAeterna12;" \
		-request /app/oracle/staging_area/export/dist_client_req.pem \
		-cert /app/oracle/staging_area/export/dist_client_Cert.pem \
		-serial_num 22 \
		-validity 375  \
		-sign_alg sha256

Add the root certificate into the client’s or server’s wallet as a trusted certificate.

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/dist_client \
		-pwd "LapsusLinguae91" \
		-trusted_cert \
		-cert /app/oracle/staging_area/export/rootCA_Cert.pem

Add the server or client certificate as a user certificate into the client’s or server’s wallet

	orapki wallet add \
		-wallet /app/oracle/staging_area/wallet_dir/dist_client \
		-pwd "LapsusLinguae91" \
		-user_cert \
		-cert /app/oracle/staging_area/export/dist_client_Cert.pem

Check the contents of the wallet

	orapki wallet display \
		-wallet /app/oracle/staging_area/wallet_dir/dist_client \
		-pwd "LapsusLinguae91"


### Trusted Certificates

Both the Distribution Server and Receiver Server need certificates. 
- The Distribution Server uses the certificate in the client wallet location under outbound section
- For the Receiver Server, the certificate is in the wallet for the inbound wallet location

For self-signed certificates, you can choose from one of the following:
- Have both certificates signed by the same Root Certificate
- The other side’s certificate is added to the local wallet as trusted certificate