Autonomous AI Database DigiCert G1 Certificate Distrust on April 15, 2026

by

If you are using Autonomous AI Database, you might have seen alerts almost every week regarding the announcement Important Announcement for Autonomous AI Database Customers: DigiCert G1 Certificate Distrust on April 15, 2026

Here are the quick steps to verify whether you are impacted and how to fix it.

Step 1: Identifying the Risk

You only need to take action if you meet all of the following criteria:

  1. Connection Type: You are using mTLS (Mutual TLS). This is the connection method where you provide a wallet.zip file to your application or tool (like SQL Developer, Python, or Java).
  2. Wallet Age: Your wallet was downloaded before January 28, 2026.
  3. Authentication Mode: Your database is configured for “mTLS” or “Both TLS and mTLS” and you aren’t currently using the walletless (TLS) path.

Step 2: How to Check Your Configuration

Follow these steps in the Oracle Cloud Infrastructure (OCI) Console:

  1. Log in to OCI: Navigate to Oracle AI Database > Autonomous AI Database.
  2. Check Network Access: Select your database instance and look at the Network section on the main Autonomous AI Database Information details page.
  1. Verify Authentication:
    • If Mutual TLS (mTLS) authentication is Required, you are definitely affected if your wallet is old.
    • If it says TLS and mTLS, you are only affected if your specific applications are configured to use the wallet file.
  2. Check Wallet Date: Look at the local file system of your applications or servers. Check the “Date Modified” of your cwallet.sso or the original wallet.zip. If it is older than January 28, 2026, you must remediate.
  • There are a few other ways to check the date as well.
    • Look for the README file in the wallet ZIP. It will have the date downloaded and the SSL certificate expiration date.
    • Check certificate expiry and issuer (G1 affected, or G2 not affected) using openssl command on <wallet_dir>/ewallet.pem.

Step 3: Remediation

If you confirmed you are using an old mTLS wallet, follow these steps to update it. You do not need to rotate the wallet on the server side; you only need to update the client-side files.

1: Download the New Wallet
  1. In the OCI Console, go to your Autonomous AI Database Details page.
  2. Click Database Connection.
  3. Click Download Wallet.
  4. Enter a password for the wallet and save the zip file.
2: Replace the Wallet in Your Applications

Replace the old wallet with the new one in each integration point:

Java (JDBC):
# Update wallet path in tnsnames.ora or connection config
javax.net.ssl.trustStore=/new/path/wallet/truststore.jks
javax.net.ssl.keyStore=/new/path/wallet/keystore.jks
Python (python-oracledb):
connection = oracledb.connect(
    user="admin",
    password="your_password",
    dsn="your_dsn",
    wallet_location="/new/path/to/wallet_dir",  # Updated path
    wallet_password="wallet_password"
)
SQL*Plus / SQLcl:
# Set TNS_ADMIN to new wallet directory
export TNS_ADMIN=/new/path/to/wallet_dir
sqlplus admin@your_service_name
Node.js (node-oracledb):
oracledb.initOracleClient({
  configDir: '/new/path/to/wallet_dir'  // Updated path
});
Oracle Data Integrator / GoldenGate:
  • Re-import the new wallet into the credential store
  • Update all affected connection profiles

Better Permanent Fix

Oracle recommends switching to TLS (Walletless) connections whenever possible. Switching from mTLS (Wallet-based) to TLS (Walletless) is the most permanent solution because it removes the dependency on local certificate files that expire or rotate.

  • mTLS requires wallet management
  • Certificates will expire again in the future, requiring repeated wallet rotations
  • Every app, tool, and service must be updated each time a new wallet is issued
  • This creates ongoing operational overhead and risk of outages
1. Enable TLS on the Database

Before changing your application code, you must ensure the database is configured to accept walletless connections.

  1. Log in to the OCI Console.
  2. Navigate to Oracle AI Database > Autonomous AI Database.
  3. Select your database instance.
  4. On the Instance Details page, look at the Network section.
  5. Find Mutual TLS (mTLS) authentication.
    • If it says Not Required, you are already set.
    • If it says Required, click Edit. If you see the Edit button disabled, most likely you have not configured ACL, and you can connect to the database from anywhere. Set up an Access Control List.
    • Network access must be via private endpoint OR public access with ACL (Access Control List)
    • Change the setting to Not Required (this allows both TLS and mTLS). Click Update.
2. Update Your Connection String

In a wallet-based (mTLS) setup, your connection string usually looks like a simple alias (e.g., db2024_high) because the details are hidden in the tnsnames.ora file inside your wallet.

For TLS (Walletless), you use a “Long Connection String” that includes the hostname and port.

How to get the TLS String:
  1. On the Database Details page, click Database Connection.
  2. In the Connection Strings table, change the “TLS Authentication” filter to TLS.
  3. Copy the connection string for your desired consumer group (e.g., high or medium). It will look like this:(description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1521)(host=adb.us-ashburn-1.oraclecloud.com))(connect_data=(service_name=getattr_db_high.adwc.oraclecloud.com))(security=(ssl_server_dn_match=yes)))
3. Update Your Application Code

Replace your current connection logic with the new string. You no longer need to point to a TNS_ADMIN directory or a wallet folder.

Python (python-oracledb)
# BEFORE (mTLS)
connection = oracledb.connect(
    user="admin",
    password="your_password",
    dsn="your_dsn",
    wallet_location="/path/to/wallet",
    wallet_password="wallet_password"
)

# AFTER (TLS Walletless)
connection = oracledb.connect(
    user="admin",
    password="your_password",
    dsn="(DESCRIPTION=(RETRY_COUNT=20)(RETRY_DELAY=3)(ADDRESS=(PROTOCOL=TCPS)"
        "(PORT=1521)(HOST=<hostname>.adb.<region>.oraclecloud.com))"
        "(CONNECT_DATA=(SERVICE_NAME=<service>_high.adb.oraclecloud.com))"
        "(SECURITY=(SSL_SERVER_DN_MATCH=YES)))"
    # No wallet_location needed!
)
Java (JDBC)
// BEFORE (mTLS)
Properties props = new Properties();
props.setProperty("javax.net.ssl.trustStore", "/path/to/wallet/truststore.jks");
props.setProperty("javax.net.ssl.keyStore", "/path/to/wallet/keystore.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "wallet_password");
String url = "jdbc:oracle:thin:@tcps://<host>:1522/<service>?wallet_location=/path/to/wallet";

// AFTER (TLS Walletless)
String url = "jdbc:oracle:thin:@tcps://<host>:1521/<service>";
// Java's built-in truststore handles the cert — no wallet properties needed!
Node.js (node-oracledb)
// BEFORE (mTLS)
oracledb.initOracleClient({ configDir: '/path/to/wallet' });
const conn = await oracledb.getConnection({
  user: 'admin',
  password: 'your_password',
  connectString: 'your_tns_alias'
});

// AFTER (TLS Walletless)
// No initOracleClient wallet config needed!
const conn = await oracledb.getConnection({
  user: 'admin',
  password: 'your_password',
  connectString: '(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(PORT=1521)'
    + '(HOST=<hostname>.adb.<region>.oraclecloud.com))'
    + '(CONNECT_DATA=(SERVICE_NAME=<service>_high.adb.oraclecloud.com))'
    + '(SECURITY=(SSL_SERVER_DN_MATCH=YES)))'
});

Note: All of the examples above show a hardcoded password, which is not the best practice. I wanted to focus on the connection changes. To protect the password and avoid hardcoding it in the application, please always use

  • OCI Vault + Instance Principal: For OCI-hosted apps
  • OCI Vault + API Key: For OCI apps, external clients
  • Oracle wallet (mkstore): SQL*Plus, batch programs, scripts
  • Environment variables: Containers, CI/CD