Oracle REST Data Service (ORDS) has recently been updated to release 26.1.0. This is a great opportunity to write a short blog post covering how to use (self-signed) certificates with the container image on rootless podman.
Create the certificate
The first step is to create the self-signed certificate. You can ignore this step if you are provided certificates from your certification authority (CA). ORDS requires the key to be of RSA format, PKCS8 encoded. Failing to adhere to these requirements will raise an error during the ORDS bootstrap phase.
openssl req \ -newkey rsa:4096 -nodes \ -keyout "${CERTS_DIR}/key.key" \ -new -x509 -sha256 -days 365 \ -out "${CERTS_DIR}/cert.crt" \ -subj "${SUBJECT}" \ -addext "subjectAltName=DNS:ords,DNS:localhost,IP:127.0.0.1,DNS:$(hostname)" \ -addext "extendedKeyUsage=serverAuth" \ -addext "keyUsage=digitalSignature,keyEncipherment"
This command should work on both MacOS and Linux. In plain English, it create a 4096-bit RSA key and a self-signed HTTPS certificate valid for one year, usable for localhost-style access, and save both to disk. Note that due to its self-signed nature, browsers and clients will not trust it by default It’s meant for local dev / internal use, NOT production!
Provide a suitable SUBJECT, and update the SAN (subject alt name) to match your environment. You also need to specify the target directory, CERTS_DIR.
Mount the certificates to rootless podman container
With the certificates created, they need to be mounted to the container. This all depends on whether SELinux is enabled, and how you map your local user ID into the container. The description of the problem goes beyond the scope of this article, this RedHat Developers Blog Post contains a great explanation.
The solution is to run the podman unshare command. podman unshare lets you temporarily enter the same user namespace that rootless containers use, so you can manipulate files with the same UID/GID mapping as the container. Once you’re in that namespace it’s as simple as chown-ing the directory containing the certificates.
After the successful completion of the podman unshare chown command, you can use a volume mount to make the certificate and key available to ORDS.
Putting it all together
A small script puts it all together. It takes 2 arguments:
- The subject to be passed to openssl
- A path to a directory where the certificates are to be stored. Defaults to
./certs
set -euxo pipefail# https://container-registry.oracle.com/ords/ocr/ba/database/ords# requires the certificate and key to be named exactly as in the# below command. Furthermore the key must either be RSA or PKCS8# encoded. Else you get an error in this form# [ords] | 2026-04-09T15:26:50.854Z SEVERE The provided key is not RSA or PKCS8 encoded# [ords] | oracle.dbtools.standalone.StandaloneException: The provided key is not RSA or PKCS8 encoded# global variables/parametersSUBJECT=${1:-"/C=DE/ST=RPL/L=Frankfurt/O=acme/CN=ords"}CERTS_DIR=${2:-"./certs"}if [ -e "$CERTS_DIR" ]; then echo "ERR: ${CERTS_DIR} exists, aborting to avoid accidental data loss" exit 1fi# create the directory to hold the certificatesmkdir -p -- "${CERTS_DIR}"# generate the keyopenssl req \ -newkey rsa:4096 -nodes \ -keyout "${CERTS_DIR}/key.key" \ -new -x509 -sha256 -days 365 \ -out "${CERTS_DIR}/cert.crt" \ -subj "${SUBJECT}" \ -addext "subjectAltName=DNS:ords,DNS:localhost,IP:127.0.0.1,DNS:$(hostname)" \ -addext "extendedKeyUsage=serverAuth" \ -addext "keyUsage=digitalSignature,keyEncipherment"# make the directory accessible to rootless podman# https://www.redhat.com/en/blog/user-namespaces-selinux-rootless-containers# jump into the namespace and change the directory to be owned by oracle:oinstallpodman unshare chown 54321:54321 -R "${CERTS_DIR}"
Summary
It’s super easy to generate self-signed certificates for use with ORDS for local testing. The script shown in the article does all the hard work. Well, it’s not hard work, it’s knowing how things have to be done…
Please remember: self-signed certificates aren’t for production use!
Martins Blog 