Oracle® Application Server Certificate Authority Administrator's Guide 10g (9.0.4) Part Number B10663-01 |
|
This Appendix describes how to acquire and import a subordinate certificate authority, which is a CA whose certificate is signed by some higher CA authority. This Sub CA could be authorized by the original Oracle Application Server Certificate Authority installed at a corporate headquarters, for use in a remote division. Or the new Sub CA could be authorized by (signed by) an entirely different certificate authority with a hierarchy and root different from OCA.
The following summary gives an overview of the acquisition and import process:
As the administrator of OracleAS Certificate Authority, you obtain the Sub CA wallet and certificate by using Oracle Wallet Manager (OWM), or any similar third party mechanism. The first step is to generate a PKCS#10 Certificate Request, usually by filling in a form. OWM uses the completed form to create the Request, which is an encrypted body of text containing all the supplied information necessary to authenticate the requesting entity.
You then copy this Request from the OWM interface and paste it into the Certificate Issuance interface provided by the third party, receiving a certificate request ID. This ID can be used to fetch and display the base64 format certificate when it is issued. For other CAs, follow the CA-specific procedures. In some cases, the certificate is sent to your mail ID.
Once the certificate is received, use OWM to import it as a user certificate and add the CA that issued it as a trust point. After the certificate is approved, OWM stores it in a PKCS#12-format wallet that can then be used as a Sub CA wallet.
OCA's administration tool has an import option to enable the administrator to import that stored SubCA wallet and certificate into an OCA instance running as a Subordinate CA. The import operation includes an automatic change of encryption and location to fit OCA's standard operations. The following sections of this Appendix describe all these steps:
The following steps tell you, as OCA administrator, how to generate a Sub CA wallet from the Oracle CA:
Server/SubCA Certificates Tab in Chapter 7, "End-User Interface of the Oracle Application Server Certificate Authority"
See Also:
See Also:
Approving or Rejecting Certificate RequestsChapter 3, "Introduction to OCA Administration and Certificate Management"
The steps in this section enable you to create a hierarchy of CAs. The wallet for the new Sub CA can be generated by OCA or by any X.509v3-compliant CA. It should be created through Oracle Wallet Manager immediately after the install and before any certificates are issued. Otherwise, such certificates become invalid after the new Sub CA is installed. Examples of third-party suppliers include iPlanet's Certificate Management System (CMS), Verisign, or others. To use a third party certificate, the certificate must conform to the extension requirements of OCA as described in Appendix D, "Extensions".
$ORACLE_HOME/opmn/bin/opmnctl stopproc type=oc4j instancename=oca $ORACLE_HOME/opmn/bin/opmnctl stopproc type=ohs
ocactl importwallet -type SUBCA
See:
Appendix A, "Command-Line Administration" for details. For example, while importing the Sub CA wallet, ocactl ensures that the correct bits are set for the right extensions. The wallet can function as a Sub CA wallet only if the correct bits are set. BasicConstraintsExtension must show DIGITAL_SIGNATURE. KeyUsageExtensions must show KEY_CERT_SIGN ("Certificate Signing"), CRL_SIGN and NON_REPUDIATION: all three must be present. |
Installing the Sub CA wallet will:
The password used for the new CA's wallet, provided in response to the command prompts, is the new CA's signing password. This password now becomes the password of the OCA Administrator.
This operation overwrites the corresponding earlier records in the OCA repository. Thus, the new Sub CA certificate, key, and password replace the old root CA certificate, key, and signing certificate password, respectively.
At this point, you must do the following steps, as root user:
ocactl generatewallet -type CASSL
.
This generated CA SSL wallet will be signed by the new Sub CA certificate
ocactl convertwallet -format SSO
opmn
.
The Oracle Application Server 10g Security Guide, particularly the Appendix on Managing PKI Credentials with Oracle Wallet Manager.
See Also:
When a huge organization has multiple geographical locations, it can be useful to get a Sub CA wallet from the Root CA and install that Sub CA in another OCA installation. The parent organization with the Root CA wallet can issue Sub CA wallets to each subordinate organization or department. Each such Sub CAs will act as the Certificate Authority CA in its respective location to manage certificates specific to that organization. Preventing a Sub CA from issuing another Sub CA wallet can be done by setting the path length when that Sub CA's wallet is issued by Root CA.
The following steps enable you to generate and use a Sub CA wallet from Oracle Application Server Certificate Authority:
The Oracle Application Server 10g Security Guide, particularly the Appendix on Managing PKI Credentials with Oracle Wallet Manager.
See Also:
At this point you must copy the details of the certificate into OWM and then save that wallet, using the following steps:
As described in Chapter 6's section entitled Regenerating the CA SSL and CA SMIME Wallets, the CA SSL wallet is generated during installation. It enables Oracle Application Server Certificate Authority to listen in HTTPS mode, and it can be regenerated if necessary, to re-establish secure communications. Circumstances requiring such regeneration include a wallet becoming compromised or corrupted, or the CA wallet being regenerated, or a new Sub CA certificate being imported.
Generating the Sub CA SSL wallet is also done when OCA is not running, using this command:
ocactl generatewallet -type CASSL
This wallet is signed by the Sub CA and stored in the directory $ORACLE_HOME/oca/wallet/ssl, encrypted by the password requested during its generation.
Once you install a Sub CA, the earlier CA that issued the SSL certificate no longer exists. Clients connecting to OCA will trust the current CA certificate. The CA SSL issued by the previous CA is not trusted, so you should regenerate the CA SSL certificate after importing a Sub CA or after a CA SSL wallet is corrupted or compromised.
Similarly, after importing a Sub CA, the CA SMIME wallet previously issued by the prior CA is not valid any more. The CA SMIME wallet must be generated to sign alerts and notifications when "Send SMIME E-Mails" is enabled in Notification page of Configuration Management in OCA Admin page. Use this command to generate the CA SMIME wallet:
ocactl generatewallet -type CASMIME
After generating the CA SSL and CA SMIME wallets, do the following steps:
Oracle Application Server Certificate Authority will now use the Sub CA certificate for signing certificate requests.
|
![]() Copyright © 2002, 2003 Oracle Corporation. All Rights Reserved. |
|