Oracle ERP Cloud SSL/TLS Certificate Management

TL;DR

• Bottom line: Oracle manages SaaS-tier TLS certificates automatically with 6-month renewal cycles, but customers must manage outbound integration certificates themselves by importing third-party CA certs into the fusion_trust.jks keystore.
• Key limit: Oracle renews SaaS certificates every 6 months; integration partners using downloaded certificates must re-download and redeploy within the renewal window or face connection failures.
• Watch out for: Outbound calls from Fusion Applications to external HTTPS endpoints fail silently when the external service's CA certificate is missing from fusion_trust.jks -- the error appears as a generic SSL handshake failure.
• Best for: Any Oracle ERP Cloud integration requiring secure communication -- inbound TLS (Oracle-managed), outbound SSL trust (customer-managed), or mutual TLS for high-security integrations.
• Authentication: Certificate management is separate from API authentication (OAuth 2.0); certificates establish transport-layer trust, while OAuth handles application-layer authorization.

System Profile

This card covers SSL/TLS certificate lifecycle management across the Oracle ERP Cloud (Fusion Cloud Applications) ecosystem. It spans three distinct certificate domains: (1) Oracle-managed SaaS TLS certificates that secure inbound connections to Fusion Applications, (2) customer-managed trust certificates in the fusion_trust.jks keystore for outbound integrations, and (3) OCI Certificates service for infrastructure-level certificate management.

API Surfaces & Capabilities

Certificate management in Oracle ERP Cloud does not use a single API surface. Certificates are managed through multiple interfaces depending on the certificate scope.

Rate Limits & Quotas

Per-Request Limits

Rolling / Daily Limits

Authentication

Authentication Gotchas

• Certificate management authentication is entirely separate from the OAuth 2.0 flows used for ERP API calls -- having API access does not grant certificate management permissions. [src1]
• OCI Certificates service requires IAM policies granting explicit access to the certificates family of resources; default tenancy admin policies do not include certificate management. [src2]
• WLST sessions require the Admin Server to be running; if the Admin Server is down, use orapki for direct wallet manipulation. [src4]

Constraints

• Oracle-managed SaaS TLS certificates cannot be replaced, customized, or pinned by customers -- any integration that certificate-pins will break at the next 6-month renewal cycle.
• Outbound SSL calls from Fusion Applications require the external service's CA certificate chain to be present in fusion_trust.jks; missing intermediate certificates cause handshake failures even if the root CA is trusted.
• DER-encoded (binary) certificates cannot be imported via Fusion Middleware Control or WLST -- use orapki exclusively for DER format imports. [src4]
• All private keys within a single JKS keystore must share the same password; mixing passwords prevents key extraction. [src1]
• Self-service certificate import into fusion_trust.jks is only available from Oracle Fusion release 11.12.1.0.0+; earlier releases require a Service Request. [src5]
• OCI Certificates service does not support mixed certificate chains (RSA + ECDSA in the same chain). [src2]

Integration Pattern Decision Tree

START -- Certificate management for Oracle ERP Cloud
|-- What type of certificate operation?
|   |-- Inbound TLS (clients connecting to Oracle ERP)
|   |   |-- SaaS environment?
|   |   |   |-- YES --> Oracle-managed, no action needed (6-month auto-renewal)
|   |   |   +-- NO (on-prem/hybrid) --> Manage via WLST or FMW Control
|   |   +-- Need custom domain certificate?
|   |       |-- YES --> Not supported for SaaS; use OCI LB for custom domains
|   |       +-- NO --> Oracle default certificate applies automatically
|   |-- Outbound SSL (Oracle ERP calling external services)
|   |   |-- External CA already in fusion_trust.jks?
|   |   |   |-- YES --> No action needed
|   |   |   +-- NO --> Import CA cert via self-service or SR
|   |   |-- Need mutual TLS (two-way SSL)?
|   |   |   |-- YES --> Upload identity cert (.jks) to OIC + trust cert to target
|   |   |   +-- NO --> Trust certificate import only
|   |   +-- Using Oracle Integration Cloud (OIC) as middleware?
|   |       |-- YES --> Upload via OIC Console > Settings > Certificates
|   |       +-- NO --> Import directly into fusion_trust.jks
|   |-- OCI infrastructure certificates
|   |   |-- Need auto-renewal?
|   |   |   |-- YES --> Use OCI Certificates service with renewal policy
|   |   |   +-- NO --> Import third-party cert manually
|   |   +-- Load balancer SSL termination?
|   |       |-- YES --> Associate cert via OCI LB configuration
|   |       +-- NO --> Apply cert to specific OCI service
|   +-- Certificate rotation / renewal
|       |-- SaaS TLS renewal?
|       |   +-- Oracle handles automatically; re-download if using stored certs
|       |-- Integration partner certificates?
|       |   +-- Monitor expiry; re-import before expiration
|       +-- OCI managed certificates?
|           +-- Configure auto-renewal policy in OCI Certificates service
+-- Certificate format conversion needed?
    |-- PEM to JKS --> keytool -importcert
    |-- JKS to PKCS#12 --> orapki wallet jks_to_pkcs12
    |-- PKCS#12 to JKS --> orapki wallet pkcs12_to_jks
    +-- DER to PEM --> openssl x509 -inform der -outform pem

Quick Reference

Certificate Format Compatibility Matrix

Common keytool Commands

Step-by-Step Integration Guide

1. Determine your certificate scope and current state

Identify which certificate domain you are working with and what is currently configured. [src1, src3]

# For OCI infrastructure -- list certificates in your tenancy
oci certs-mgmt certificate list --compartment-id <compartment_ocid> --all

# For JKS keystore -- list contents
keytool -list -v -keystore fusion_trust.jks -storepass <password>

Verify: Check output for certificate aliases, expiry dates, and issuer chains. Any certificate expiring within 30 days needs attention.

2. Import a trust certificate for outbound integration

When Oracle ERP Cloud needs to call an external HTTPS endpoint whose CA is not already trusted, import the CA certificate chain. [src5]

# Download the external service's CA certificate chain
openssl s_client -connect api.external-service.com:443 -showcerts </dev/null 2>/dev/null \
  | openssl x509 -outform PEM > external_ca.pem

# Import into fusion_trust.jks
keytool -importcert -alias external-service-ca \
  -file external_ca.pem -keystore fusion_trust.jks \
  -storepass <password> -noprompt

Verify: keytool -list -keystore fusion_trust.jks -alias external-service-ca should display the certificate details.

3. Upload certificates to Oracle Integration Cloud (OIC)

For integrations routed through Oracle Integration Cloud, upload via the OIC Console. [src1]

Trust certificates (outbound SSL validation):
1. OIC Console > Settings > Certificates
2. Click Upload
3. Certificate Type: X.509 (SSL Transport)
4. Category: Trust
5. Enter alias name (e.g., "external-api-ca-2026")
6. Browse and select the .cer or .crt file
7. Click Upload

Identity certificates (mutual TLS / two-way SSL):
1. Same navigation
2. Certificate Type: X.509 (SSL Transport)
3. Category: Identity
4. Select .jks keystore file
5. Enter keystore password + key alias passwords

Verify: Certificate appears in OIC Certificates list with status "Active" and correct expiration date.

4. Configure OCI Certificates service for auto-renewal

For OCI infrastructure certificates, use the OCI Certificates service to enable automatic renewal. [src2]

# Issue a certificate with auto-renewal
oci certs-mgmt certificate create-by-generating-internally \
  --compartment-id <compartment_ocid> \
  --name "erp-api-endpoint" \
  --certificate-config '{...}' \
  --certificate-rules '[{"ruleType":"CERTIFICATE_RENEWAL_RULE","renewalInterval":"P90D","advanceRenewalPeriod":"P30D"}]'

Verify: oci certs-mgmt certificate get --certificate-id <cert_ocid> shows renewal rules and next scheduled date.

5. Handle Oracle SaaS TLS certificate renewal (6-month cycle)

Oracle automatically renews SaaS TLS certificates every 6 months. Update stored certificates after each renewal. [src3, src7]

# Check when the current Oracle SaaS certificate expires
openssl s_client -connect <instance>.oraclecloud.com:443 \
  -servername <instance>.oraclecloud.com </dev/null 2>/dev/null \
  | openssl x509 -noout -dates

# Download the new certificate after renewal
openssl s_client -connect <instance>.oraclecloud.com:443 -showcerts \
  </dev/null 2>/dev/null | openssl x509 -outform PEM > oracle_new.pem

# Update your integration's trust store
keytool -delete -alias oracle-fusion-saas -keystore integration_trust.jks -storepass <pwd>
keytool -importcert -alias oracle-fusion-saas -file oracle_new.pem \
  -keystore integration_trust.jks -storepass <pwd> -noprompt

Verify: Test the integration endpoint. A successful HTTPS connection confirms the new certificate is trusted.

Code Examples

Python: Monitor certificate expiry and alert

# Input:  Oracle ERP Cloud hostname
# Output: Certificate expiry report with days-until-expiry

import ssl, socket, datetime, json

def check_oracle_cert_expiry(hostname, port=443):
    context = ssl.create_default_context()
    with socket.create_connection((hostname, port), timeout=10) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            cert = ssock.getpeercert()
            not_after = datetime.datetime.strptime(
                cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
            days_left = (not_after - datetime.datetime.utcnow()).days
            return {
                'hostname': hostname,
                'not_after': not_after.isoformat(),
                'days_until_expiry': days_left,
                'needs_renewal': days_left < 30,
                'critical': days_left < 7
            }

result = check_oracle_cert_expiry('instance.fa.us2.oraclecloud.com')
print(json.dumps(result, indent=2))

Bash: Certificate chain extraction and validation

#!/bin/bash
# Input:  Oracle ERP Cloud hostname
# Output: Full certificate chain saved as PEM files

HOST="${1:-instance.fa.us2.oraclecloud.com}"
OUTPUT_DIR="./oracle_certs_$(date +%Y%m%d)"
mkdir -p "$OUTPUT_DIR"

openssl s_client -connect "$HOST:443" -servername "$HOST" \
  -showcerts </dev/null 2>/dev/null > "$OUTPUT_DIR/full_chain.pem"

openssl s_client -connect "$HOST:443" -servername "$HOST" \
  </dev/null 2>/dev/null | openssl x509 -outform PEM > "$OUTPUT_DIR/leaf.pem"

openssl x509 -in "$OUTPUT_DIR/leaf.pem" -noout -subject -issuer -dates

cURL: Quick SSL diagnostics

# Input:  Oracle ERP Cloud instance URL
# Output: SSL handshake details and certificate info

curl -vvv --head "https://instance.fa.us2.oraclecloud.com/" \
  2>&1 | grep -E "(SSL|TLS|subject|issuer|expire|CN)"

# Test with specific TLS version
curl --tlsv1.2 --head "https://instance.fa.us2.oraclecloud.com/" \
  -w "HTTP Code: %{http_code}\nSSL Verify: %{ssl_verify_result}\n" \
  -o /dev/null -s

Data Mapping

Certificate Format Conversion Reference

Data Type Gotchas

• Oracle Wallet files (ewallet.p12 and cwallet.sso) are PKCS#12 with Oracle-specific wrapper; standard tools may not read them -- use orapki. [src6]
• PEM files must not contain Windows-style CRLF line endings; Oracle tools on Linux/Unix reject them -- use dos2unix before import. [src4]
• Certificate serial numbers display as hexadecimal in Oracle tools but decimal in some CA portals -- convert before comparing. [src4]

Error Handling & Failure Points

Common Error Codes

Failure Points in Production

• Silent outbound SSL failure: Outbound web service calls fail with generic "connection refused" when CA cert missing from fusion_trust.jks. Fix: Test outbound connectivity after any certificate change with a simple REST call. [src5]
• 6-month renewal surprise: Partners who store Oracle's SaaS TLS certificate get unexpected failures after renewal. Fix: Never pin to leaf certificate; trust the CA chain. Set calendar reminders for 6-month cycle. [src3]
• Incomplete certificate chain: Importing only the leaf certificate causes validation failures. Fix: Download full chain via openssl s_client -showcerts. [src4]
• JKS password mismatch: Different passwords per private key causes UnrecoverableKeyException. Fix: Use -keypass identical to -storepass when creating JKS. [src1]
• Auto-login wallet permissions: cwallet.sso has no password; security depends on file permissions. Fix: Set permissions to 600 owned by application user. [src4]
• TLS 1.3 cipher mismatch: After Release 24B enforcement, older clients fail. Fix: Update client libraries to TLS 1.2+ and verify cipher suite compatibility. [src7]

Anti-Patterns

Wrong: Certificate pinning to Oracle SaaS leaf certificate

# BAD -- pinning to the leaf cert that Oracle rotates every 6 months
openssl s_client -connect instance.oraclecloud.com:443 </dev/null 2>/dev/null \
  | openssl x509 -outform PEM > pinned_cert.pem
# Hardcoding the SHA-256 fingerprint -- WILL break at next renewal

Correct: Trust the CA chain, not the leaf certificate

# GOOD -- trust the Certificate Authority, which persists across renewals
openssl s_client -connect instance.oraclecloud.com:443 -showcerts </dev/null 2>/dev/null \
  | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}' | tail -n +2 > ca_chain.pem
keytool -importcert -alias oracle-ca -file ca_chain.pem \
  -keystore integration_trust.jks -storepass changeit -noprompt

Wrong: Importing only the leaf certificate for outbound trust

# BAD -- importing only the server's leaf certificate
keytool -importcert -alias external-api -file external_leaf_only.pem \
  -keystore fusion_trust.jks -storepass <password>
# Breaks when the external service renews its leaf cert

Correct: Import the full CA chain for outbound trust

# GOOD -- import root CA and intermediate CAs
openssl s_client -connect api.external.com:443 -showcerts </dev/null 2>/dev/null \
  | awk 'BEGIN{c=0} /BEGIN CERT/{c++} c>0{print > "cert_"c".pem"} /END CERT/{}'
# Import intermediate and root CAs (skip cert_1.pem which is the leaf)
for f in cert_2.pem cert_3.pem; do
  alias=$(openssl x509 -in "$f" -noout -subject -nameopt rfc2253 | sed 's/subject=//')
  keytool -importcert -alias "$alias" -file "$f" \
    -keystore fusion_trust.jks -storepass <password> -noprompt
done

Wrong: Shared password across environments

# BAD -- same wallet password for dev and prod
orapki wallet create -wallet /prod/wallet -pwd Welcome1 -auto_login
orapki wallet create -wallet /dev/wallet -pwd Welcome1 -auto_login

Correct: Unique passwords per environment with vault storage

# GOOD -- unique passwords stored in secret manager
PROD_PWD=$(openssl rand -base64 32)
DEV_PWD=$(openssl rand -base64 32)
# Store in OCI Vault, then create wallets
orapki wallet create -wallet /prod/wallet -pwd "$PROD_PWD" -auto_login
orapki wallet create -wallet /dev/wallet -pwd "$DEV_PWD" -auto_login

Common Pitfalls

• Not monitoring certificate expiry: Integration certificates expire silently and the integration fails at 2 AM. Fix: Implement automated monitoring with alerts at 30, 14, and 7 days before expiry. [src2]
• Forgetting intermediate certificates: Modern CA chains have 2-3 intermediates. Importing only the root CA causes failures. Fix: Extract and import the complete chain using openssl s_client -showcerts. [src4]
• CRLF line endings in PEM files: PEM files from Windows have \r\n endings. Oracle tools on Linux reject them. Fix: Run dos2unix on PEM files before import. [src6]
• Self-signed certs in production: They work in dev but fail in prod where the trust store lacks the self-signed cert. Fix: Use a recognized CA for all environments. [src4]
• Ignoring the 6-month SaaS renewal: Integration works for 6 months then breaks. Fix: Trust the CA chain, not the leaf cert. Add Oracle's renewal schedule to your ops calendar. [src3]
• Wallet file permission errors: cwallet.sso relies on file permissions for security. Fix: Set to 600 owned by the application user. [src4]

Diagnostic Commands

# Check Oracle ERP Cloud endpoint certificate
openssl s_client -connect instance.fa.us2.oraclecloud.com:443 \
  -servername instance.fa.us2.oraclecloud.com </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates -serial

# Test TLS version support
openssl s_client -connect instance.fa.us2.oraclecloud.com:443 \
  -tls1_2 </dev/null 2>/dev/null | grep "Protocol  :"

# List all certs in JKS keystore
keytool -list -v -keystore fusion_trust.jks -storepass <password>

# Verify a certificate chain
openssl verify -CAfile ca_chain.pem server_cert.pem

# List Oracle Wallet contents
orapki wallet display -wallet /path/to/wallet

# Check OCI for expiring certificates
oci certs-mgmt certificate list --compartment-id <ocid> \
  --lifecycle-state ACTIVE --all

# Inspect a PEM certificate file
openssl x509 -in certificate.pem -text -noout

Version History & Compatibility

Deprecation Policy

Oracle Fusion Cloud follows a quarterly release cadence (24A, 24B, 24C, 25A). TLS protocol changes are announced at least one release in advance. TLS 1.0 and 1.1 have been deprecated since 2020 and are blocked on all Oracle Cloud endpoints. [src7]

When to Use / When Not to Use

Important Caveats

• Oracle renews SaaS TLS certificates on a 6-month cycle, but the exact renewal date is not publicly announced -- monitor the notAfter date and plan within a 2-week window.
• The fusion_trust.jks keystore may be reset during quarterly updates -- verify custom imports after each release deployment.
• OCI Certificates auto-renewal only works for OCI-managed CA-issued certificates; imported certificates must be renewed manually.
• Certificate management interfaces vary across Oracle cloud services (Fusion Apps, OIC, OCI) -- there is no single unified console.
• All information reflects Oracle's documented behavior as of Release 25A. Certificate management capabilities are subject to change with each quarterly release.