🔒 Oracle Database TLS Certificate Renewal: A Complete Guide for RAC Environments

Managing TLS certificates in Oracle Real Application Clusters (RAC) environments can be challenging, especially when dealing with multiple nodes and SCAN listeners. In this comprehensive guide, we'll walk through the complete process of renewing TLS certificates in an Oracle database wallet across a 3-node RAC cluster.

Whether you're a seasoned DBA or just starting with Oracle security, this step-by-step tutorial will help you navigate the certificate renewal process with confidence! 💪

---

📋 What You'll Need

Before we dive in, make sure you have:

• ✅ Access to all Oracle database servers
• ✅ Appropriate permissions to manage wallet certificates
• ✅ Oracle PKI tools installed
• ✅ New certificate files ready
• ✅ Backup strategy in place

---

🚀 Step-by-Step Certificate Renewal Process

1️⃣ Navigate to the Wallet Directory

First things first - let's get to our wallet location:

cd /opt/oracle/admin/testdb/TLS_testdb_wallet

2️⃣ Check Current Certificate Status 🔍

Let's see what we're working with:

[oracle@testdb-01 TLS_testdb_wallet]$ orapki wallet display -wallet .

Output:

Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=testdb-scan.example.net,O=Example Corporation,ST=California,C=US
Trusted Certificates:
Subject:        CN=Example RSA Certification Authority,O=Example CA Limited,L=San Francisco,ST=California,C=US
Subject:        CN=AAA Certificate Services,O=Example CA Limited,L=San Francisco,ST=California,C=US
Subject:        CN=Example RSA Organization Validation Secure Server CA,O=Example CA Limited,L=San Francisco,ST=California,C=US

3️⃣ Backup Before You Begin 💾

Always backup first! This is crucial for rollback scenarios:

[oracle@testdb-01 TLS_testdb_wallet]$ ls -lrt

Output:

total 44
-rw------- 1 oracle oinstall    0 Aug 14  2024 ewallet.p12.lck
-rw-r----- 1 oracle oinstall 8766 Aug 14  2024 ewallet.p12
-rw------- 1 oracle oinstall    0 Aug 14  2024 cwallet.sso.lck
-rw-r----- 1 oracle oinstall 8811 Aug 14  2024 cwallet.sso
-rw-r--r-- 1 oracle oinstall 1517 Aug 14  2024 T1
-rw------- 1 oracle oinstall 1048 Aug 14  2024 TESTDB-scan_export.crs
-rw-r--r-- 1 oracle oinstall 1964 Aug 14  2024 T2
-rw-r--r-- 1 oracle oinstall 2724 Aug 14  2024 U1
-rw-r--r-- 1 oracle oinstall 2159 Aug 14  2024 T3
-rw------- 1 oracle oinstall    0 Aug 28  2024 ewallet.txt

[oracle@testdb-01 TLS_testdb_wallet]$ cp U1 U1_bkp

4️⃣ Remove the Old Certificate 🗑️

Time to remove the expired certificate:

[oracle@testdb-01 TLS_testdb_wallet]$ orapki wallet remove -wallet /opt/oracle/admin/testdb/TLS_testdb_wallet -dn "CN=testdb-scan.example.net,O=Example Corporation,ST=California,C=US" -user_cert -pwd wallet_password

Output:

Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Verify certificate removal:

[oracle@testdb-01 TLS_testdb_wallet]$ orapki wallet display -wallet .

Output:

Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=testdb-scan.example.net,OU=IT,L=San Francisco,O=Example Corporation,ST=California
User Certificates:
Trusted Certificates:
Subject:        CN=AAA Certificate Services,O=Example CA Limited,L=San Francisco,ST=California,C=US
Subject:        CN=Example RSA Certification Authority,O=Example CA Limited,L=San Francisco,ST=California,C=US
Subject:        CN=Example RSA Organization Validation Secure Server CA,O=Example CA Limited,L=San Francisco,ST=California,C=US

5️⃣ Add the New Certificate ✨

Now let's add our shiny new certificate:

[oracle@testdb-01 TLS_testdb_wallet]$ rm U1
[oracle@testdb-01 TLS_testdb_wallet]$ vi U1
# Edit U1 to include new certificate content

[oracle@testdb-01 TLS_testdb_wallet]$ orapki wallet add -wallet /opt/oracle/admin/testdb/TLS_testdb_wallet -user_cert -cert /opt/oracle/admin/testdb/TLS_testdb_wallet/U1 -pwd wallet_password

---

🔄 Service Restart Process

Node 1 (testdb-01) 🖥️

[oracle@testdb-01 TLS_testdb_wallet]$ cd /opt/app/19.3.0/grid/bin/

# Check listener status
[oracle@testdb-01 bin]$ ./srvctl status listener

Output:

Listener LISTENER is enabled
Listener LISTENER is running on node(s): testdb-02,testdb-03,testdb-01

# Restart node listener
[oracle@testdb-01 bin]$ srvctl stop listener -n testdb-01
[oracle@testdb-01 bin]$ srvctl start listener -n testdb-01

# Check SCAN listener status
[oracle@testdb-01 bin]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

# Restart SCAN listener and SCAN VIP
[oracle@testdb-01 bin]$ srvctl stop scan_listener -i 1
[oracle@testdb-01 bin]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is not running
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

[oracle@testdb-01 bin]$ srvctl stop scan -i 1
[oracle@testdb-01 bin]$ srvctl status scan

Output:

SCAN VIP scan1 is enabled
SCAN VIP scan1 is not running
SCAN VIP scan2 is enabled
SCAN VIP scan2 is running on node testdb-03
SCAN VIP scan3 is enabled
SCAN VIP scan3 is running on node testdb-02

[oracle@testdb-01 bin]$ srvctl start scan -i 1
[oracle@testdb-01 bin]$ srvctl start scan_listener -i 1

# Verify all services are running
[oracle@testdb-01 bin]$ srvctl status scan

Output:

SCAN VIP scan1 is enabled
SCAN VIP scan1 is running on node testdb-01
SCAN VIP scan2 is enabled
SCAN VIP scan2 is running on node testdb-03
SCAN VIP scan3 is enabled
SCAN VIP scan3 is running on node testdb-02

[oracle@testdb-01 bin]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

[oracle@testdb-01 bin]$ srvctl status listener

Output:

Listener LISTENER is enabled
Listener LISTENER is running on node(s): testdb-02,testdb-03,testdb-01

Copy Wallet to Remaining Nodes 📋

[oracle@testdb-01 testdb]$ cd /opt/oracle/admin/testdb
[oracle@testdb-01 testdb]$ ls -lrt

Output:

total 6388
drwx------ 2 oracle oinstall       6 Aug  2  2024 adump
-rw-r----- 1 oracle asmadmin 2179072 Aug 13  2024 controlfile_c-1107464156-20240813-00.bak
-rw-r----- 1 oracle asmadmin 2179072 Aug 14  2024 controlfile_c-1107464156-20240814-01.bak
drwxr-xr-x 3 oracle oinstall      17 Jul 10 16:25 wallet
-rw-r----- 1 oracle asmadmin 2179072 Jul 17 13:18 controlfile_c-1107464156-20250717-01.bak
drwxr-xr-x 2 oracle oinstall    4096 Jul 17 15:25 TLS_testdb_wallet

# Copy to Node 2
[oracle@testdb-01 testdb]$ scp -r TLS_testdb_wallet oracle@testdb-02:/opt/oracle/admin/testdb/

Output:

ewallet.p12.lck                                                                                    100%    0     0.0KB/s   00:00
ewallet.p12                                                                                        100% 8766     1.8MB/s   00:00
cwallet.sso.lck                                                                                    100%    0     0.0KB/s   00:00
cwallet.sso                                                                                        100% 8811    36.4MB/s   00:00
TESTDB-scan_export.crs                                                                           100% 1048   104.7KB/s   00:00
T1                                                                                                 100% 1517     2.8MB/s   00:00
T2                                                                                                 100% 1964     6.2MB/s   00:00
T3                                                                                                 100% 2159     6.6MB/s   00:00
ewallet.txt                                                                                        100%    0     0.0KB/s   00:00
U1_bkp                                                                                             100% 2724    11.7MB/s   00:00
U1                                                                                                 100% 2724     5.5MB/s   00:00

# Copy to Node 3
[oracle@testdb-01 testdb]$ scp -r TLS_testdb_wallet oracle@testdb-03:/opt/oracle/admin/testdb/

Node 2 (testdb-02) 🖥️

# On testdb-02, we need to manage instance 3 based on the current distribution
[oracle@testdb-02 ~]$ srvctl stop listener -n testdb-02
[oracle@testdb-02 ~]$ srvctl start listener -n testdb-02

# Check SCAN listener instance on this node
[oracle@testdb-02 ~]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

# Stop and start SCAN listener instance 3 (running on testdb-02)
[oracle@testdb-02 ~]$ srvctl stop scan_listener -i 3
[oracle@testdb-02 ~]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is not running

# Stop and start SCAN VIP instance 3
[oracle@testdb-02 ~]$ srvctl stop scan -i 3
[oracle@testdb-02 ~]$ srvctl status scan

Output:

SCAN VIP scan1 is enabled
SCAN VIP scan1 is running on node testdb-01
SCAN VIP scan2 is enabled
SCAN VIP scan2 is running on node testdb-03
SCAN VIP scan3 is enabled
SCAN VIP scan3 is not running

[oracle@testdb-02 ~]$ srvctl start scan -i 3
[oracle@testdb-02 ~]$ srvctl start scan_listener -i 3

# Verify status
[oracle@testdb-02 ~]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

[oracle@testdb-02 ~]$ srvctl status scan

Output:

SCAN VIP scan1 is enabled
SCAN VIP scan1 is running on node testdb-01
SCAN VIP scan2 is enabled
SCAN VIP scan2 is running on node testdb-03
SCAN VIP scan3 is enabled
SCAN VIP scan3 is running on node testdb-02

Node 3 (testdb-03) 🖥️

# On node testdb-03, manage instance 2
[oracle@testdb-03 ~]$ srvctl stop listener -n testdb-03
[oracle@testdb-03 ~]$ srvctl start listener -n testdb-03

# Check SCAN listener instance on this node
[oracle@testdb-03 ~]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

# Stop and start SCAN listener instance 2 (running on testdb-03)
[oracle@testdb-03 ~]$ srvctl stop scan_listener -i 2
[oracle@testdb-03 ~]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is not running
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

# Stop and start SCAN VIP instance 2
[oracle@testdb-03 ~]$ srvctl stop scan -i 2
[oracle@testdb-03 ~]$ srvctl start scan -i 2
[oracle@testdb-03 ~]$ srvctl start scan_listener -i 2

# Verify status
[oracle@testdb-03 ~]$ srvctl status scan

Output:

SCAN VIP scan1 is enabled
SCAN VIP scan1 is running on node testdb-01
SCAN VIP scan2 is enabled
SCAN VIP scan2 is running on node testdb-03
SCAN VIP scan3 is enabled
SCAN VIP scan3 is running on node testdb-02

[oracle@testdb-03 ~]$ srvctl status scan_listener

Output:

SCAN Listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node testdb-01
SCAN Listener LISTENER_SCAN2 is enabled
SCAN listener LISTENER_SCAN2 is running on node testdb-03
SCAN Listener LISTENER_SCAN3 is enabled
SCAN listener LISTENER_SCAN3 is running on node testdb-02

---

✅ Validation and Testing

Initial Certificate Verification 🔍

Test your new certificates from a client machine:

user@client:~$ openssl s_client -connect testdb-01-vip.example.net:2484 </dev/null 2>/dev/null | openssl x509 -noout -text | egrep "DNS|After"

Output:

            Not After : Jul 16 23:59:59 2026 GMT
                DNS:testdb-scan.example.net, DNS:testdb-03-vip.example.net, DNS:testdb-03.example.net, DNS:testdb-02-vip.example.net, DNS:testdb-02.example.net, DNS:testdb-01-vip.example.net, DNS:testdb-01.example.net

Final Certificate Validation 🎯

After completing all nodes, perform comprehensive validation:

user@client:~$ openssl s_client -connect testdb-02-vip.example.net:2484 </dev/null 2>/dev/null | openssl x509 -noout -text | egrep "DNS|After"

Output:

            Not After : Jul 16 23:59:59 2026 GMT
                DNS:testdb-scan.example.net, DNS:testdb-03-vip.example.net, DNS:testdb-03.example.net, DNS:testdb-02-vip.example.net, DNS:testdb-02.example.net, DNS:testdb-01-vip.example.net, DNS:testdb-01.example.net

user@client:~$ openssl s_client -connect testdb-03-vip.example.net:2484 </dev/null 2>/dev/null | openssl x509 -noout -text | egrep "DNS|After"

Output:

            Not After : Jul 16 23:59:59 2026 GMT
                DNS:testdb-scan.example.net, DNS:testdb-03-vip.example.net, DNS:testdb-03.example.net, DNS:testdb-02-vip.example.net, DNS:testdb-02.example.net, DNS:testdb-01-vip.example.net, DNS:testdb-01.example.net

user@client:~$ openssl s_client -connect testdb-scan.example.net:2484 </dev/null 2>/dev/null | openssl x509 -noout -text | egrep "DNS|After"

Output:

            Not After : Jul 16 23:59:59 2026 GMT
                DNS:testdb-scan.example.net, DNS:testdb-03-vip.example.net, DNS:testdb-03.example.net, DNS:testdb-02-vip.example.net, DNS:testdb-02.example.net, DNS:testdb-01-vip.example.net, DNS:testdb-01.example.net

---

💡 Pro Tips and Best Practices

SCAN Listener Management 🎯

Remember this important concept:

• LISTENER_SCAN1 (instance 1) → testdb-01
• LISTENER_SCAN2 (instance 2) → testdb-03
• LISTENER_SCAN3 (instance 3) → testdb-02

Always check current distribution before maintenance:

srvctl status scan_listener

Common Pitfalls to Avoid ⚠️

1. Forgetting to backup - Always backup before changes!
2. Wrong instance numbers - Check SCAN listener distribution first
3. Incomplete wallet copying - Ensure all nodes have identical wallets
4. Skipping validation - Always test certificates post-renewal

---

🎉 Conclusion

Congratulations! 🎊 You've successfully renewed your Oracle Database TLS certificates across a multi-node RAC environment. The new certificate is now active with an expiration date of July 16, 2026.

Key Achievements:

• ✅ Old certificate removed safely
• ✅ New certificate deployed across all nodes
• ✅ All listeners and SCAN services operational
• ✅ Certificate validation completed successfully

Next Steps:

• 📅 Set calendar reminder for next renewal (recommend 30 days before expiry)
• 📝 Document any environment-specific variations
• 🔄 Consider automating this process for future renewals

---

Have questions about Oracle TLS certificate management? Drop a comment below.

Tags: #Oracle #Database #TLS #Security #RAC #Certificates #DBA #Administration