ouch: orapki wallet remove throws “improperly specified input name” in 12c

some days ago we tried to remove a trusted certificate from an oracle wallet and this throwed “improperly specified input name”.

test-case:
Download the certificate from this website

create the wallet:

orapki wallet create -wallet . -pwd "Oracle1"

add the certificate to the wallet:

orapki wallet add -wallet . -cert a.pem -trusted_cert -pwd "Welcome1"

then try to remove it:

orapki wallet remove -wallet . -dn 'CN=www.cenduitsolutions.com,OU=Cenduit LLC,O=Cenduit LLC,L=Durham,ST=North Carolina,C=US,2.5.4.17=27703,STREET=4825 Creekstone Drive,STREET=Suite 400,SERIAL_NUM=4312751,1.3.6.1.4.1.311.60.2.1.2=Delaware,1.3.6.1.4.1.311.60.2.1.3=US,2.5.4.15=Private Organization' -trusted_cert -pwd "Welcome1"
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

improperly specified input name: CN=www.cenduitsolutions.com,OU=Cenduit LLC,O=Cenduit LLC,L=Durham,ST=North Carolina,C=US,2.5.4.17=27703,STREET=4825 Creekstone Drive,STREET=Suite 400,SERIAL_NUM=4312751,1.3.6.1.4.1.311.60.2.1.2=Delaware,1.3.6.1.4.1.311.60.2.1.3=US,2.5.4.15=Private Organization

turned out that this is because of oracle bug (13773007) which seems to be there since 11gR1 although the error message is slightly different. only certificates for which “the DN includes a serial number attribute” seem to be affected.

the workaround is to do it this way:

orapki wallet remove -wallet . -alias 'CN=www.cenduitsolutions.com' -trusted_cert -pwd "Welcome1"Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

surprisingly the “-alias” switch seems not to be documented or least is not listed in the orapki help output.