Setup Let’s Encrypt SSL/TLS & Oracle Rest Data Services

Oracle Database Cloud Service (in Oracle Cloud Infrastructure – Classic) comes with APEX and Oracle Rest Data Services (ORDS) ready and raring to go. ‘

Specifically, this “guide” pertains to ORDS running in standalone mode on Oracle DBCS in OCI-Classic. Standalone mode uses the embedded http server “Jetty”. If you’re using Tomkat or Weblogic then check the appropriate documentation on how to use SSL certs.

By default, it ORDS in Oracle DBCS is listening on port 443 (SSL/TLS) but is using a self-signed certificate. This may be ok for internal uses – i.e. the Database or ORDS is not exposed to the outside world, but if you need to connect other cloud services like Oracle Stream Analytics, a real SSL/TLS cert is required. Required in this sense means that Stream Analytics will not allow a connection to be created to ORDS unless is it using a certificate that is signed by a trusted provider like Verisign or Thawte.

Getting an SSL certificate is out of the scope of this post, but they are reasonably easy to acquire. Services like Lets Encrypt make SSL certs available for free – the caveat is that they expire every 90 days.

For the purposes of this guide – my DBCS hostname is and am putting my certificates and keys in /home/oracle/ords_ssl. Change these as appropriate.

However you get your cert, you need three files to use ORDS:

  • A private key – in my case
  • the full chain for the certificate – – (this is particularly important when using a Let’s Encrypt certificate
  • the SSL/TLS certificate itself – – this can be used in lieu of the full chain certificate. When using Let’s Encrypt – it seems better to use the full chain however as the intermediate and root certificates are also included

If you get the above files in PEM format, then you need to convert them to DER format when running ORDS in standalone mode.

To convert the private key to DER format, use the following OpenSSL command

openssl pkcs8 -topk8 -inform PEM -outform DER -in -out -nocrypt

To convert the certificate to DER format, use the following.

openssl x509 -inform PEM -outform DER -in -out

The same command can be used to convert the full chain file if you choose to use that

openssl x509 -inform PEM -outform DER -in -out

Edit the /u01/app/oracle/product/ords/conf/ords/standalone/ file to update the following parameters to point to the converted certificates.

Obviously, replace the path and file name as appropriate.


Finally, restart ORDS using /etc/init.d/ords restart

When you browse to you should now see that the page is secured with a trusted certificate rather than the self-signed one it was using before.