Skip Headers
Oracle® Application Server Certificate Authority Administrator's Guide
10g (

Part Number B15989-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

B Setting up a CA Hierarchy

This Appendix describes how to acquire and import a subordinate certificate authority, which is a CA whose certificate is signed by some higher CA authority. This Sub CA could be authorized by the original Oracle Application Server Certificate Authority installed at a corporate headquarters, for use in a remote division. Or the new Sub CA could be authorized by (signed by) an entirely different certificate authority with a hierarchy and root different from OracleAS Certificate Authority.

The following summary gives an overview of the acquisition and import process:

As the administrator of OracleAS Certificate Authority, you obtain the Sub CA signing wallet and certificate by using Oracle Wallet Manager (OWM), or any similar third party mechanism. The first step is to generate a PKCS#10 certificate request, usually by filling in a form. OWM uses the completed form to create the request, which is an encrypted body of text containing all the supplied information necessary to authenticate the requesting entity.

See Also:

Oracle Advanced Security Administrator's Guide

You then copy this request from the OWM interface and paste it into the Certificate Issuance interface provided by the third party, receiving a certificate request ID. This ID can be used to fetch and display the BASE64 format certificate when it is issued. For other CAs, follow the CA-specific procedures. In some cases, the certificate is sent to your mail ID.

Once the certificate is received, use OWM to import it as a user certificate and add the CA that issued it as a trust point. After the certificate is approved, OWM stores it in a PKCS#12-format wallet that can then be used as a Sub CA signing wallet.

OracleAS Certificate Authority's administration tool has an import option to enable the administrator to import that stored SubCA signing wallet and certificate into an OracleAS Certificate Authority instance running as a Subordinate CA. The import operation includes an automatic change of encryption and location to fit OracleAS Certificate Authority's standard operations. The following sections of this Appendix describe these steps:

B.1 Generating a Sub CA Signing Wallet

The following steps tell you, as OracleAS Certificate Authority administrator, how to generate a Sub CA signing wallet:

  1. Use Oracle Wallet Manager or a third-party tool to generate a PKCS#10 request.

  2. Using OracleAS Certificate Authority's Server/Sub CA enrollment form, submit the PKCS#10 request and select CA Signing as the certificate usage.

  3. Using the OCA Administration form, issue the Sub CA certificate. (If a third party enrollment was used, await certificate notification.)

  4. After approving that certificate (or receiving approval notification from the third-party issuer, if you used one), go to the Server/Sub CA enrollment form and click Save CA Certificate. An Advanced button will appear. Clicking Advanced will show the CA certificate along with the trust points, if any, displayed under the CA chain in PKCS#7 format.

  5. Copy the BASE64 certificate of the CA from the screen, go to Oracle Wallet Manager, and import that certificate as a Trusted certificate into OWM. If there are any trust points along with the CA, copy them one by one into Oracle Wallet Manager, using OWM's Import Trusted Certificate option.

    See Also:

    Oracle Advanced Security Administrator's Guide

  6. Using the Server/Sub CA enrollment form, get the certificate details by giving the serial number or the common name of the Sub CA. Click View Details to view the Sub CA certificate in BASE64 format.

  7. Copy the BASE64 format of the Sub CA certificate and import it into OWM as a user certificate.

  8. Use OWM to save the Sub CA signing wallet to a file destination of your own choice.

B.2 Installing and Using the New Sub CA Signing Wallet

The steps in this section enable you to create a hierarchy of CAs. The wallet for the new Sub CA can be generated by OCA or by any X.509v3-compliant CA. It should be created through Oracle Wallet Manager immediately after the install and before any certificates are issued. Otherwise, such certificates become invalid after the new Sub CA is installed. Examples of third-party suppliers include iPlanet's Certificate Management System (CMS), Verisign, or others. To use a third party certificate, the certificate must conform to the extension requirements of OracleAS Certificate Authority as described in Appendix D, "Extensions".

  1. Install Oracle Application Server Certificate Authority, which will create an OracleAS Certificate Authority repository, create the password store, and create the Root CA signing wallet and the CA SSL wallet.


    The OracleAS Certificate Authority schema in one repository can only be used with one OCA.When installing another OracleAS Certificate Authority instance, you must not choose a repository that has been used to install an earlier OCA: the OCA configuration tool will fail.This failure will force you to exit and restart the whole installation.

  2. Stop OC4J and Oracle HTTP Server (Apache) if they are running, using these commands:

    $ORACLE_HOME/opmn/bin/opmnctl stopproc type=oc4j instancename=oca
    $ORACLE_HOME/opmn/bin/opmnctl stopproc type=ohs
  3. Install the Sub CA signing wallet using the following command:

    ocactl importwallet -type SUBCA 

    See Also:

    Appendix A, "Command-Line Administration" for details. For example, while importing the Sub CA signing wallet, ocactl ensures that the correct bits are set for the right extensions. The wallet can function as a Sub CA signing wallet only if the correct bits are set. BasicConstraintsExtension must show DIGITAL_SIGNATURE. KeyUsageExtensions must show KEY_CERT_SIGN ("Certificate Signing"), CRL_SIGN and NON_REPUDIATION: all three must be present.


    If importwallet gives an error message, import the certificate into your browser and view its details to see the error, which in Internet Explorer will be that one of those two subject types will fail to have the indicated necessary terms.

    Installing the Sub CA signing wallet will:

    1. Prompt for the existing administrator's password, for the directory where the wallet for the new Sub CA (ewallet.p12) is stored, and for that wallet's password.

      The password used for the new CA's wallet, provided in response to the command prompts, is the new CA's signing password. This password now becomes the password of the OracleAS Certificate Authority Administrator.

    2. Fetch the new Sub CA's certificate, private key, and serial number from that wallet, and store them in the OracleAS Certificate Authority repository.

      This operation overwrites the corresponding earlier records in the OracleAS Certificate Authority repository. Thus, the new Sub CA certificate, key, and password replace the old root CA certificate, key, and signing certificate password, respectively.

    3. Update the current Serial number of the Sub CA certificate, so that certificates issued by this Sub CA will have serial numbers greater than the serial number of the Sub CA certificate. Also, any administrator certificate issued by the old CA is removed from the password store.

At this point, you must do the following steps, as root user:

  1. Generate a new CA SSL wallet, since the existing CA SSL was signed by the prior CA. Use the following command

    ocactl generatewallet -type CASSL. 

    This generated CA SSL wallet will be signed by the new Sub CA certificate

  2. Convert this wallet to OracleAS Single Sign-On format using the following command

    ocactl convertwallet -format SSO 
  3. Start HTTP Server by using the command-line tool opmn.

  4. Start OC4J using the same command-line tool.

  5. Start OracleAS Certificate Authority, which will now use the new Sub CA certificate for signing all future certificate requests.

    See Also:

    Oracle Advanced Security Administrator's Guide

B.2.1 Configuring an OracleAS Certificate Authority Instance to Be a Subordinate CA of Another CA

When a huge organization has multiple geographical locations, it can be useful to get a Sub CA signing wallet from the Root CA and install that Sub CA in another OracleAS Certificate Authority installation. The parent organization with the Root CA signing wallet can issue Sub CA signing wallets to each subordinate organization or department. Each such Sub CAs will act as the Certificate Authority CA in its respective location to manage certificates specific to that organization. Preventing a Sub CA from issuing another Sub CA signing wallet can be done by setting the path length when that Sub CA's wallet is issued by Root CA.

The following steps enable you to generate and use a Sub CA signing wallet from OracleAS Certificate Authority:

  1. Create a new wallet and generate a PKCS#10 certificate request using Oracle Wallet Manager (OWM). Copy the request for submission to OracleAS Certificate Authority.

    See Also:

    Oracle Advanced Security Administrator's Guide

  2. Using the Server/Sub CA enrollment form of the user interface described in Chapter 8, paste in the PKCS#10 request you generated with OWM and select certificate usage as CA signing.

  3. Using the OracleAS Certificate Authority Administrative form in the administrative interface described in Chapter 4, issue a Sub CA certificate. Specify its path-length, that is, the number of levels of Sub CAs that it can have.

  4. After that approval, go back to the Server/Sub CA enrollment form and click Save CA Certificate, which will show the CA certificate along with its ancestors, if there are any.

  5. Click Advanced to show the BASE64-encoded certificates.

  6. Copy the BASE64 certificate of the CA from the screen and import it as a Trusted certificate into Oracle Wallet Manager. If the CA is a subordinate CA in a hierarchy of CA's, all the CA's in the hierarchy must be imported into OWM. Copy them one by one into Oracle Wallet Manager using its Import Trusted Certificate option.

At this point you must copy the details of the certificate into OWM and then save that wallet, using the following steps:

  1. Using the Server/Sub CA enrollment form, use the serial number or the common name of the Sub CA to find this particular certificate.

    1. To use the serial number, click its radio button on the left to select it and then click the hypertext link on the right, to display it.

    2. To use the common name, you enter it, click Go, and select the desired certificate from those listed.

  2. Click View Details to view the Sub CA certificate in BASE64 format.

  3. Copy that BASE64 format of the Sub CA certificate and import it into Oracle Wallet Manager as a user certificate.

  4. Save the Sub CA signing wallet using Oracle Wallet Manager. The wallet will be stored as ewallet.p12.

B.2.2 Generating CA SSL and CA SMIME Wallets for a Sub CA

As described in Chapter 7 in the section entitled "Regenerating the CA SSL and CA S/MIME Wallets", the CA SSL wallet is generated during installation. It enables OracleAS Certificate Authority to listen in HTTPS mode, and it can be regenerated if necessary, to reestablish secure communications. Circumstances requiring such regeneration include a wallet becoming compromised or corrupted, or the CA signing wallet being regenerated, or a new Sub CA certificate being imported.

Generating the Sub CA SSL wallet is also done when OracleAS Certificate Authority is not running, using this command:

ocactl generatewallet -type CASSL

This wallet is signed by the Sub CA and stored in the directory $ORACLE_HOME/oca/wallet/ssl, encrypted by the password requested during its generation.

Once you install a Sub CA, the earlier CA that issued the SSL certificate no longer exists. Clients connecting to OracleAS Certificate Authority will trust the current CA certificate. The CA SSL issued by the previous CA is not trusted, so you should regenerate the CA SSL certificate after importing a Sub CA or after a CA SSL wallet is corrupted or compromised.

Similarly, after importing a Sub CA, the CA SMIME wallet previously issued by the prior CA is no longer valid. The CA SMIME wallet must be generated to sign alerts and notifications when "Send SMIME E-Mails" is enabled in the Notification page of Configuration Management in OracleAS Certificate Authority Admin page. Use this command to generate the CA SMIME wallet:

ocactl generatewallet -type CASMIME

After generating the CA SSL and CA SMIME wallets, do the following steps:

  1. Start OC4J and HTTP Server.

  2. Start OracleAS Certificate Authority.

OracleAS Certificate Authority will now use the Sub CA certificate for signing certificate requests.