To Request a CA-Signed Certificate for Directory Proxy Server (Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition)

Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Previous: To Create a Non-default Self-Signed Certificate for Directory Proxy Server
Next: To Install a CA-Signed Server Certificate for Directory Proxy Server

To Request a CA-Signed Certificate for Directory Proxy Server

Self-signed certificates are useful for test purposes. However, in a production environment, using trusted Certificate Authority (CA) certificates is more secure.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Request a CA-signed server certificate.

$ dpadm request-cert instance-path cert-alias

where cert-alias is the name of the certificate that you are requesting. Certificate Authorities might require all of the options of the command to identify the server. For a description of all command options, see the dpadm(1M) man page.

The process for obtaining a CA certificate depends on the CA that you use. Some commercial CAs provide a web site that allows you to download the certificate. Other CAs will send the certificate to you in email.

For example, you could request a certificate called my-CA-signed-cert as follows:

$ dpadm request-cert -S cn=my-request,o=test /local/dps my-CA-signed-cert
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBYDCBygIBADAhMQ0wCwYDVQQDEwRnZXJpMRAwDgYDVQQDEwdteWNlcnQ0MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC3v9ubG468wnjBDAMbRrEkmFDTQzT+LO30D/ALLXOiElVsHrtRyWhJ
PG9cURI9uwqs15crxCpJvho1kt3SB9+yMB8Ql+CKnCQDHlNAfnn30MjFHShv/sAuEygFsN+Ekci5
W1jySYE2rzE0qKVxWLSILFo1UFRVRsUnORTX/Nas7QIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA
fcQMnZNLpPobiX1xy1ROefPOhksVz8didY8Q2fjjaHG5lajMsqOROzubsuQ9Xh4ohT8kIA6xcBNZ
g8FRNIRAHCtDXKOdOm3CpJ8da+YGI/ttSawIeNAKU1DApF9zMb7c2lS4yEfWmreoQdXIC9YeKtF6
zwbn2EmIpjHzETtS5Nk=
-----END NEW CERTIFICATE REQUEST-----

When you request a certificate by using the dpadm request-cert command, the certificate request is a PKCS #10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is the format specified by RFCs 1421 through 1424. For more information, see http://www.ietf.org/rfc/rfc1421.txt. The PEM format represents a base64-encoded certificate request in ASCII format.

When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.

Save the certificate request for future reference. You may need it while renewing the certificate.

Send the certificate request to the CA, according to its procedures.

After you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, the response time can be short. However, if the CA is external to your company, the CA can take several weeks to respond to your request.

Save the certificate that you receive from the CA.

Save your certificate in a text file, and back up the certificate in a safe location.