H Oracle Wallet Manager and orapki

Oracle Application Server 10g provided two utilities for managing wallets and certificates:

  • Oracle Wallet Manager, a graphical user interface tool to manage PKI certificates

  • The orapki utility, a command-line tool to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and create signed certificates for testing purposes

Additionally, Oracle Application Server 10g provided the SSL Configuration Tool.

Oracle Fusion Middleware 11g Release 1 (11.1.1.7) provides:

  • Additional orapki features

  • The ability to manage JKS-based keystores, wallets, and certificates using Fusion Middleware Control

  • Both command-line and graphical user interfaces to configure SSL. See Chapter 6 for details.

Use this appendix to learn about orapki updates, and to help transition to the new certificate, wallet management, and SSL configuration tools provided in 11g Release 1 (11.1.1.7). The appendix contains these topics:

See Also:

Oracle Advanced Security Administrator's Guide for details of Oracle Wallet Manager and orapki usage:

http://docs.oracle.com/cd/E11882_01/network.112/e10746/toc.htm

Note:

The orapki utility is located in the binary directory of Oracle Common home, that is, $MIDDLEWARE_HOME/oracle_common/bin.

Note:

Wallet names based on multi-byte character sets (MBCS) are not supported. Do not create a wallet using an MBCS.

H.1 New orapki Features

The orapki command-line utility contains these new features in Oracle Fusion Middleware 11g Release 1 (11.1.1.7):

H.1.1 orapki Usage Examples

See Also:

Doc ID 1226654.1, "How To Create a Wallet via ORAPKI in FMW 11g" on the OTN Knowledge Base.

Here are a few examples of using orapki:

# Create root wallet (for example, CA wallet)
orapki wallet create -wallet ./root -pwd mypasswd
 
# Add a self-signed certificate (CA certificate) to the root wallet
orapki wallet add -wallet ./root -dn 'CN=root_test,C=US' -keysize 1024 -self_signed -validity 3650 -pwd mypasswd
 
# Export self-signed certificate from the wallet 
orapki wallet export -wallet ./root -dn 'CN=root_test,C=US' -cert ./root/b64certificate.txt -pwd mypasswd 
 
# Create a user wallet (for example, a customer wallet)
orapki wallet create -wallet ./user -pwd mypasswd
 
# Add a certificate request
orapki wallet add -wallet ./user -dn 'CN=user_test,C=US' -keysize 1024 -pwd mypasswd
 
# Export the certificate request 
orapki wallet export -wallet ./user -dn 'CN=user_test,C=US' -request ./user/creq.txt -pwd mypasswd
 
# Create a certificate (issued by CA)
orapki cert create -wallet ./root -request ./user/creq.txt -cert ./user/cert.txt -validity 3650 -pwd mypasswd
 
# Add a trusted certificate (CA certificate) to the wallet
orapki wallet add -wallet ./user -trusted_cert -cert ./root/b64certificate.txt -pwd mypasswd
 
# Add a user certificate
orapki wallet add -wallet ./user -user_cert -cert ./user/cert.txt -pwd mypasswd
 
# Display contents of wallet
orapki wallet display -wallet ./root -pwd mypasswd

H.1.2 New CRL Management Features

orapki supports several new command options to work with CRLs:

Creating a CRL

You use orapki crl create to create a CRL.

See Section H.2.6.3, "orapki crl create."

Revoking a Certificate

You use orapki crl revoke to revoke a certificate.

See Section H.2.6.8, "orapki crl revoke."

Verifying a CRL Signature

You use orapki crl verify to verify a CRL signature.

See Section H.2.6.11, "orapki crl verify."

Checking If a Certificate Is Revoked in a CRL

You use orapki crl status to check if a certificate is revoked.

See Section H.2.6.9, "orapki crl status."

H.1.3 New Version 3 Certificate Support

orapki provides:

  • The ability to add a subject key identifier extension to a certificate request

  • The ability to add a version3 self-signed certificate to a wallet

See Section H.2.6.12, "orapki wallet add" for information about these features.

H.1.4 Trust Chain Export

You use orapki wallet export_trust_chain to export a chain of trust (certificate chain) for a user.

See Section H.2.6.17, "orapki wallet export_trust_chain."

H.1.5 Wallet Password Change

You use orapki wallet change_pwd to change a wallet password.

See Section H.2.6.13, "orapki wallet change_pwd."

H.1.6 Converting Between Oracle Wallet and JKS Keystore

You can convert a JKS keystore to an Oracle wallet, and convert an Oracle wallet to JKS.

Converting JKS to Oracle Wallet

Use this command to migrate entries from JKS store to p12 wallet:

jks_to_pkcs12 -wallet wallet -pwd pwd -keystore keystore 
-jkspwd jkspwd [-aliases [alias:alias..]]

where the parameters are as follows:

  • wallet is the wallet location; entries from the JKS keystore will be migrated to this wallet.

  • pwd is the wallet password.

  • keystore is the keystore location; this JKS will be migrated to the p12 wallet.

  • jkspwd is the JKS password.

  • aliases are optional. If specified, only entries corresponding to the specified alias are migrated. If not specified, all the entries are migrated.

To illustrate this command, start by creating a self-signed JKS keystore:

keytool -genkey -alias myalias -keyalg RSA -keysize 1024 -dname CN=root,C=US -validity 3650 -keystore ./ewallet.jks -storetype jks -storepass password 
-keypass password 

Next, create an Oracle wallet:

orapki wallet create -wallet ./ -pwd password 

Migrate the JKS keystore entries to the wallet:

orapki wallet jks_to_pkcs12 -wallet ./ -pwd password -keystore ./ewallet.jks -jkspwd password

Note:

In this example the wallet was newly created and is empty. However, in practice the wallet need not be empty when you use this command; pre-existing entries are preserved.

Converting Oracle Wallet to JKS

Use this command to migrate entries from a p12 wallet to a JKS keystore:

pkcs12_to_jks -wallet p12wrl -pwd p12pwd 
[-jksKeyStoreLoc jksKSloc -jksKeyStorepwd jksKS_pwd][-jksTrustStoreLoc loc -jksTrustStorepwd pwd]

where the parameters are as follows:

  • wallet is the p12 wallet location

  • pwd is the wallet password

  • jksKeyStoreLoc is the JKS keystore location

  • jksKeyStorepwd is the JKS keystore password

  • jksTrustStoreLoc is the JKS truststore location

  • jksTrustStorepwd is the JKS truststore password

Note:

Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.

This example migrates all wallet entries to the same JKS keystore:

orapki wallet pkcs12_to_jks -wallet ./ -pwd mypasswd -jksKeyStoreLoc ./ewallet.jks -jksKeyStorepwd mypasswd2

This example migrates keys and trusted certificate entries into separate JKS keystores:

orapki wallet pkcs12_to_jks -wallet ./ -pwd mypasswd 
-jksKeyStoreLoc ./ewalletK.jks -jksKeyStorepwd mypasswd2 
-jksTrustStoreLoc ./ewalletT.jks -jksTrustStorepwd mypasswd2

H.2 Using the orapki Utility for Certificate Validation and CRL Management

This section contains these topics:

H.2.1 orapki Overview

The orapki utility is provided to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. This enables you to automate many of the routine tasks of maintaining a PKI.

This command-line utility can be used to perform the following tasks:

  • Creating signed certificates for testing purposes

  • Managing Oracle wallets:

    • Creating and displaying Oracle wallets

    • Adding and removing certificate requests

    • Adding and removing certificates

    • Adding and removing trusted certificates

  • Managing certificate revocation lists (CRLs):

    • Renaming CRLs with a hash value for certificate validation

    • Uploading, listing, viewing, and deleting CRLs in Oracle Internet Directory

orapki allows you to import certificates in both DER and PEM formats.

H.2.1.1 orapki Syntax

The basic syntax of the orapki command-line utility is as follows:

orapki module command -parameter value

In the preceding command, module can be wallet (Oracle wallet), crl (certificate revocation list), or cert (PKI digital certificate). The available commands depend on the module you are using. For example, if you are working with a wallet, then you can add a certificate or a key to the wallet with the add command. The following example adds the user certificate located at /private/lhale/cert.txt to the wallet located at ORACLE_HOME/wallet/ewallet.p12:

orapki wallet add -wallet ORACLE_HOME/wallet/ewallet.p12
-user_cert -cert /private/lhale/cert.txt

H.2.1.2 Environment Setup for orapki

When running orapki, ensure that one of these following environment settings is in place:

  • If running in the context of Identity Management or Web Tier or Classic installations, set ORACLE_HOME to point to the product installation location.

  • If running in the context of Oracle SOA Suite or Oracle WebCenter Portal installations, set JAVA_HOME to point to a valid JDK location that contains Java 1.5 or higher.

H.2.2 Displaying orapki Help

You can display all the orapki commands that are available for a specific mode by entering the following at the command line:

orapki mode help

For example, to display all available commands for managing certificate revocation lists (CRLs), enter the following at the command line:

orapki crl help

Note:

Using the -summary, -complete, or -wallet command options is always optional. A command will still run if these command options are not specified.

H.2.3 Creating Signed Certificates for Testing Purposes

This command-line utility provides a convenient, lightweight way to create signed certificates for testing purposes. The following syntax can be used to create signed certificates and to view certificates:

To create a signed certificate for testing purposes:

orapki cert create [-wallet wallet_location] -request
 certificate_request_location
-cert certificate_location -validity number_of_days [-summary]

This command creates a signed certificate from the certificate request. The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request. The -validity parameter specifies the number of days, starting from the current date, that this certificate will be valid. Specifying a certificate and certificate request is mandatory for this command.

To view a certificate:

orapki cert display -cert certificate_location [-summary | -complete]

This command enables you to view a test certificate that you have created with orapki. You can choose either -summary or -complete, which determines how much detail the command will display. If you choose -summary, the command will display the certificate and its expiration date. If you choose -complete, it will display additional certificate information, including the serial number and public key.

H.2.4 Managing Oracle Wallets with the orapki Utility

The following sections describe the syntax used to create and manage Oracle wallets with the orapki command-line utility. You can use these orapki utility wallet module commands in scripts to automate the wallet creation process.

H.2.4.1 Creating and Viewing Oracle Wallets with orapki

To create an Oracle wallet:

orapki wallet create -wallet wallet_location

This command will prompt you to enter and re-enter a wallet password. It creates a wallet in the location specified for -wallet.

To create an Oracle wallet with auto-login enabled:

orapki wallet create -wallet wallet_location -auto_login

This command creates a wallet with auto-login enabled, or it can also be used to enable auto-login on an existing wallet. If the wallet_location already contains a wallet, then auto-login will be enabled for it. To disable the auto-login feature, delete cwallet.sso.

Note:

For wallets with the auto-login feature enabled, you are prompted for a password only for operations that modify the wallet, such as add.

To view an Oracle wallet:

orapki wallet display -wallet wallet_location

This command displays the certificate requests, user certificates, and trusted certificates contained in the wallet.

H.2.4.2 Adding Certificates and Certificate Requests to Oracle Wallets with orapki

To add a certificate request to an Oracle wallet:

orapki wallet add -wallet wallet_location -dn user_dn -keysize 512|1024|2048|4096

This command adds a certificate request to a wallet for the user with the specified distinguished name (user_dn). The request also specifies the requested certificate's key size (512, 1024, or 2048 bits). To sign the request, export it with the export option. See Section H.2.4.3, "Exporting Certificates and Certificate Requests from Oracle Wallets with orapki."

To add a trusted certificate to an Oracle wallet:

orapki wallet add -wallet wallet_location -trusted_cert -cert
certificate_location

This command adds a trusted certificate, at the specified location (-cert certificate_location), to a wallet. You must add all trusted certificates in the certificate chain of a user certificate before adding a user certificate, or the command to add the user certificate will fail.

To add a root certificate to an Oracle wallet:

orapki wallet add -wallet wallet_location -dn
certificate_dn -keysize 512|1024|2048 -self_signed -validity number_of_days

This command creates a new self-signed (root) certificate and adds it to the wallet. The -validity parameter (mandatory) specifies the number of days, starting from the current date, that this certificate will be valid. You can specify a key size for this root certificate (-keysize) of 512, 1024, 2048, or 4096 bits.

To add a user certificate to an Oracle wallet:

orapki wallet add -wallet wallet_location -user_cert -cert certificate_location

This command adds the user certificate at the location specified with the -cert parameter to the Oracle wallet at the wallet_location. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail.

H.2.4.3 Exporting Certificates and Certificate Requests from Oracle Wallets with orapki

To export a certificate from an Oracle wallet:

orapki wallet export -wallet wallet_location -dn
certificate_dn -cert certificate_filename

This command exports a certificate with the subject's distinguished name (-dn) from a wallet to a file that is specified by -cert.

To export a certificate request from an Oracle wallet:

orapki wallet export -wallet wallet_location -dn
certificate_request_dn -request certificate_request_filename

This command exports a certificate request with the subject's distinguished name (-dn) from a wallet to a file that is specified by -request.

H.2.5 Managing Certificate Revocation Lists (CRLs) with orapki Utility

CRLs must be managed with orapki. This utility creates a hashed value of the CRL issuer's name to identify the CRLs location in your system. If you do not use orapki, your Oracle server cannot locate CRLs to validate PKI digital certificates. The following sections describe CRLs, how you use them, and how to use orapki to manage them:

See Also:

"Certificate Revocation List Management" in the Oracle Advanced Security Administrator's Guide for details about managing CRLs with orapki:

http://docs.oracle.com/cd/E11882_01/network.112/e10746/asossl.htm

H.2.5.1 About Certificate Validation with Certificate Revocation Lists

The process of determining whether a given certificate can be used in a given context is referred to as certificate validation. Certificate validation includes determining that:

  • A trusted certificate authority (CA) has digitally signed the certificate.

  • The certificate's digital signature corresponds to the independently-calculated hash value of the certificate itself and the certificate signer's (CA's) public key.

  • The certificate has not expired.

  • The certificate has not been revoked.

The SSL network layer automatically performs the first three validation checks, but you must configure certificate revocation list (CRL) checking to ensure that certificates have not been revoked. CRLs are signed data structures that contain a list of revoked certificates. They are usually issued and signed by the same entity who issued the original certificate.

H.2.5.1.1 What CRLs Should You Use?

You should have CRLs for all of the trust points that you honor. The trust points are the trusted certificates from a third-party identity that is qualified with a level of trust. Typically, the certificate authorities you trust are called trust points.

H.2.5.1.2 How CRL Checking Works

Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. If you store your CRLs on the local file system or in the directory, then you must update them regularly. If you use CRL DPs then CRLs are downloaded when the corresponding certificates are first used.

The server searches for CRLs in the following locations in the order listed. When the system finds a CRL that matches the certificate CA's DN, it stops searching.

  1. Local file system

    The system checks the sqlnet.ora file for the SSL_CRL_FILE parameter first, followed by the SSL_CRL_PATH parameter. If these two parameters are not specified, then the system checks the wallet location for any CRLs.

    Note: if you store CRLs on your local file system, then you must use the orapki utility to periodically update them. See Section H.2.5.2.1, "Renaming CRLs with a Hash Value for Certificate Validation."

  2. Oracle Internet Directory

    If the server cannot locate the CRL on the local file system and directory connection information has been configured in the ORACLE_HOME/ldap/admin/ldap.ora file, then the server searches in the directory. It searches the CRL subtree by using the CA's distinguished name (DN) and the DN of the CRL subtree.

    The server must have a properly configured ldap.ora file to search for CRLs in the directory. It cannot use the Domain Name System (DNS) discovery feature of Oracle Internet Directory. Also note that if you store CRLs in the directory, then you must use the orapki utility to periodically update them. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory."

  3. CRL DP

    If the CA specifies a location in the CRL DP X.509, version 3, certificate extension when the certificate is issued, then the appropriate CRL that contains revocation information for that certificate is downloaded. Currently, Oracle Advanced Security supports downloading CRLs over HTTP and LDAP.

    Notes:

    • For performance reasons, only user certificates are checked.

    • Oracle recommends that you store CRLs in the directory rather than the local file system.

H.2.5.2 Certificate Revocation List Management

Before you can enable certificate revocation status checking, you must ensure that the CRLs you receive from the CAs you use are in a form (renamed with a hash value) or in a location (uploaded to the directory) in which your system can use them. Oracle Advanced Security provides a command-line utility, orapki, that you can use to perform the following tasks:

You can also use LDAP command-line tools to manage CRLs in Oracle Internet Directory.

See Also:

Command-Line Tools Overview in the Oracle Fusion Middleware Reference for Oracle Identity Management for information about LDAP command-line tools and their syntax.
H.2.5.2.1 Renaming CRLs with a Hash Value for Certificate Validation

When the system validates a certificate, it must locate the CRL issued by the CA who created the certificate. The system locates the appropriate CRL by matching the issuer name in the certificate with the issuer name in the CRL.

When you specify a CRL storage location for the Certificate Revocation Lists Path field in Oracle Net Manager (sets the SSL_CRL_PATH parameter in the sqlnet.ora file), use the orapki utility to rename CRLs with a hash value that represents the issuer's name. Creating the hash value enables the server to load the CRLs.

On UNIX systems, orapki creates a symbolic link to the CRL. On Windows systems, it creates a copy of the CRL file. In either case, the symbolic link or the copy created by orapki are named with a hash value of the issuer's name. Then when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so the appropriate CRL can be loaded.

Depending on your operating system, enter one of the following commands to rename CRLs stored in the file system.

To rename CRLs stored in UNIX file systems:

orapki crl hash -crl crl_filename [-wallet wallet_location]
-symlink crl_directory [-summary]

To rename CRLs stored in Windows file systems:

orapki crl hash -crl crl_filename
[-wallet wallet_location] -copy crl_directory [-summary]

In the preceding commands, crl_filename is the name of the CRL file, wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL, and crl_directory is the directory in which the CRL is located.

Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to renaming the CRL. Specifying the -summary option causes the tool to display the CRL issuer's name.

H.2.5.2.2 Uploading CRLs to Oracle Internet Directory

Publishing CRLs in the directory enables CRL validation throughout your enterprise, eliminating the need for individual applications to configure their own CRLs. All applications can use the CRLs stored in the directory in which they can be centrally managed, greatly reducing the administrative overhead of CRL management and use.

The user who uploads CRLs to the directory by using orapki must be a member of the directory group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%). This is a privileged operation because these CRLs are accessible to the entire enterprise. Contact your directory administrator to be added to this administrative directory group.

To upload CRLs to the directory, enter the following at the command line:

orapki crl upload -crl crl_location
-ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary]

In the preceding command, crl_location is the file name or URL in which the CRL is located, hostname and ssl_port (SSL port with no authentication) are for the system on which your directory is installed, username is the directory user who has permission to add CRLs to the CRL subtree, and wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL.

Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. Specifying the -summary option causes the tool to print the CRL issuer's name and the LDAP entry in which the CRL is stored in the directory.

Note:

  • The orapki utility will prompt you for the directory password when you perform this operation.

  • Ensure that you specify the directory SSL port on which the Diffie-Hellman-based SSL server is running. This is the SSL port that does not perform authentication. Neither the server authentication nor the mutual authentication SSL ports are supported by the orapki utility.

H.2.5.2.3 Listing CRLs Stored in Oracle Internet Directory

You can display a list of all CRLs stored in the directory with orapki, which is useful for browsing to locate a particular CRL to view or download to your local system. This command displays the CA who issued the CRL (Issuer) and its location (DN) in the CRL subtree of your directory.

To list CRLs in Oracle Internet Directory, enter the following at the command line:

orapki crl list -ldap hostname:ssl_port

In the preceding command, the hostname and ssl_port are for the system on which your directory is installed. Note that this is the directory SSL port with no authentication as described in the preceding section.

H.2.5.2.4 Viewing CRLs in Oracle Internet Directory

You can view specific CRLs that are stored in Oracle Internet Directory in a summarized format or you can request a complete listing of revoked certificates for the specified CRL. A summary listing provides the CRL issuer's name and its validity period. A complete listing provides a list of all revoked certificates contained in the CRL.

To view a summary listing of a CRL in Oracle Internet Directory, enter the following at the command line:

orapki crl display -crl crl_location [-wallet wallet_location] -summary

In the preceding command, crl_location is the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. See "Section H.2.5.2.3, "Listing CRLs Stored in Oracle Internet Directory".

To view a list of all revoked certificates contained in a specified CRL, which is stored in Oracle Internet Directory, enter the following at the command line:

orapki crl display -crl crl_location [-wallet wallet_location] -complete

For example, the following orapki command:

orapki crl display -crl $T_WORK/pki/wlt_crl/nzcrl.txt -wallet $T_WORK/pki/wlt_crl -complete

produces the following output, which lists the CRL issuer's DN, its publication date, date of its next update, and the revoked certificates it contains:

issuer = CN=root,C=us, thisUpdate = Sun Nov 16 10:56:58 PST 2003,
nextUpdate = Mon Sep 30 11:56:58 PDT 2013, revokedCertificates = 
{(serialNo = 153328337133459399575438325845117876415, 
revocationDate - Sun Nov 16 10:56:58 PST 2003)}
CRL is valid

Using the -wallet option causes the orapki crl display command to validate the CRL against the CA's certificate.

Depending on the size of your CRL, choosing the -complete option may take a long time to display.

You can also use Oracle Directory Manager, a graphical user interface tool that is provided with Oracle Internet Directory, to view CRLs in the directory. CRLs are stored in the following directory location:

cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext
H.2.5.2.5 Deleting CRLs from Oracle Internet Directory

The user who deletes CRLs from the directory by using orapki must be a member of the directory group CRLAdmins. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for information about this directory administrative group.

To delete CRLs from the directory, enter the following at the command line:

orapki crl delete -issuer issuer_name -ldap hostname:ssl_port 
-user username [-summary]

In the preceding command, issuer_name is the name of the CA who issued the CRL, the hostname and ssl_port are for the system on which your directory is installed, and username is the directory user who has permission to delete CRLs from the CRL subtree. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.

Using the -summary option causes the tool to print the CRL LDAP entry that was deleted.

For example, the following orapki command:

orapki crl delete -issuer "CN=root,C=us" 
-ldap machine1:3500 -user cn=orcladmin -summary

produces the following output, which lists the location of the deleted CRL in the directory:

Deleted CRL at cn=root
cd45860c.rN,cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext

H.2.6 orapki Utility Commands Summary

This section lists and describes the following orapki commands:

H.2.6.1 orapki cert create

The following sections describe this command.

H.2.6.1.1 Purpose

Use this command to create a signed certificate for testing purposes.

H.2.6.1.2 Syntax
orapki cert create [-wallet wallet_location]
-request certificate_request_location
-cert certificate_location -validity number_of_days [-summary]
  • The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request.

  • The -request parameter (mandatory) specifies the location of the certificate request for the certificate you are creating.

  • The -cert parameter (mandatory) specifies the directory location in which the tool places the new signed certificate.

  • The -validity parameter (mandatory) specifies the number of days, starting from the current date, that this certificate will be valid.

H.2.6.2 orapki cert display

The following sections describe this command.

H.2.6.2.1 Purpose

Use this command to display details of a specific certificate.

H.2.6.2.2 Syntax
orapki cert display -cert certificate_location [-summary|-complete]
  • The -cert parameter specifies the location of the certificate you want to display.

  • You can use either the -summary or the -complete parameter to display the following information:

    • -summary displays the certificate and its expiration date

    • -complete displays additional certificate information, including the serial number and public key

H.2.6.3 orapki crl create

The following sections describe this command.

H.2.6.3.1 Purpose

Use this command to create a CRL.

H.2.6.3.2 Syntax
orapki crl create [-crl [url|filename]] 
[-wallet [cawallet]] 
[-nextupdate [days]] 
[-pwd pwd]
  • -crl is the location where the CRL will be created (for example ./nzcrl.txt)

  • -wallet is the cawallet, which contains self-signed certificate and corresponding private key

  • -nextupdate is the number of days until the next update

  • -pwd is the password of cawallet

H.2.6.4 orapki crl delete

The following sections describe this command.

H.2.6.4.1 Purpose

Use this command to delete CRLs from Oracle Internet Directory. Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) directory group.

H.2.6.4.2 Syntax
orapki crl delete -issuer issuer_name 
-ldap hostname:ssl_port -user username [-summary]
  • The -issuer parameter specifies the name of the certificate authority (CA) who issued the CRL.

  • The -ldap parameter specifies the hostname and SSL port for the directory in which the CRLs are to be deleted. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.

  • The -user parameter specifies the username of the directory user who has permission to delete CRLs from the CRL subtree in the directory.

  • The -summary parameter is optional. Using it causes the tool to print the CRL LDAP entry that was deleted.

H.2.6.5 orapki crl display

The following sections describe this command.

H.2.6.5.1 Purpose

Use this command to display specific CRLs that are stored in Oracle Internet Directory.

H.2.6.5.2 Syntax
orapki crl display -crl crl_location 
 [-wallet wallet_location] [-summary|-complete] 
  • The -crl parameter specifies the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. See Section H.2.6.7, "orapki crl list".

  • The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to displaying it.

  • Choosing either the -summary or the -complete parameters displays the following information:

    • -summary provides a listing that contains the CRL issuer's name and the CRL's validity period

    • -complete provides a list of all revoked certificates that the CRL contains. Note that this option may take a long time to display, depending on the size of the CRL.

H.2.6.6 orapki crl hash

The following sections describe this command.

H.2.6.6.1 Purpose

Use this command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.

H.2.6.6.2 Syntax
orapki crl hash -crl crl_filename|URL 
 [-wallet wallet_location] [-symlink|-copy] crl_directory [-summary]
  • The -crl parameter specifies the filename that contains the CRL or the URL in which it can be found.

  • The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory.

  • Depending on your operating system, use either the -symlink or the -copy parameter:

    • On UNIX: Use -symlink to create a symbolic link to the CRL at the crl_directory location

    • On Windows: Use -copy to create a copy of the CRL at the crl_directory location

  • The -summary parameter (optional) causes the tool to display the CRL issuer's name.

H.2.6.7 orapki crl list

The following sections describe this command.

H.2.6.7.1 Purpose

Use this command to display a list of CRLs stored in Oracle Internet Directory. This is useful for browsing to locate a particular CRL to view or download to your local file system.

H.2.6.7.2 Syntax
orapki crl list -ldap hostname:ssl_port

The -ldap parameter specifies the hostname and SSL port for the directory server from which you want to list CRLs. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.

H.2.6.8 orapki crl revoke

The following sections describe this command.

H.2.6.8.1 Purpose

Use this command to revoke a certificate.

H.2.6.8.2 Syntax
orapki crl revoke [-crl [url|filename]] 
[-wallet [cawallet]] 
[-cert [revokecert]] 
[-pwd pwd]

where:

  • -crl specifies the CRL as either a URL or a filename

  • -wallet is the cawallet, which contains self-signed certificate and corresponding private key

  • -cert: certificate to be revoked

  • -pwd is the password of cawallet.

H.2.6.9 orapki crl status

The following sections describe this command.

H.2.6.9.1 Purpose

Use this command to check if a certificate is revoked in a CRL.

H.2.6.9.2 Syntax
orapki crl status [-crl [url|filename]] 
 [-cert [cert]]
  • -crl specifies the CRL as either a URL or a filename

  • -cert is the CA's certificate

H.2.6.10 orapki crl upload

The following sections describe this command.

H.2.6.10.1 Purpose

Use this command to upload certificate revocation lists (CRLs) to the CRL subtree in Oracle Internet Directory. Note that you must be a member of the directory administrative group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) to upload CRLs to the directory.

H.2.6.10.2 Syntax
orapki crl upload -crl crl_location 
 -ldap hostname:ssl_port -user username 
 [-wallet wallet_location] [-summary]
  • The -crl parameter specifies the directory location or the URL of the CRL that you are uploading to the directory.

  • The -ldap parameter specifies the hostname and SSL port for the directory to which you are uploading the CRLs. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.

  • The -user parameter specifies the username of the directory user who has permission to add CRLs to the CRL subtree in the directory.

  • The -wallet parameter specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. This is an optional parameter. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory.

  • The -summary parameter is also optional. Using it causes the tool to display the CRL issuer's name and the LDAP entry in which the CRL is stored in the directory.

H.2.6.11 orapki crl verify

The following sections describe this command.

H.2.6.11.1 Purpose

Use this command to verify a CRL signature.

H.2.6.11.2 Syntax
orapki crl verify [-crl [url|filename]] 
[-cert [cacert]]

where:

  • -crl specifies the CRL as either a URL or a filename

  • -cert specifies the certificate to be checked

H.2.6.12 orapki wallet add

The following sections describe this command.

H.2.6.12.1 Purpose

Use this command to add certificate requests and certificates to an Oracle wallet.

H.2.6.12.2 Syntax

To add certificate requests:

orapki wallet add -wallet wallet_location -dn user_dn -keysize 512|1024|2048
  • The -wallet parameter specifies the location of the wallet to which you want to add a certificate request.

  • The -dn parameter specifies the distinguished name of the certificate owner.

  • The -keysize parameter specifies the key size for the certificate.

  • To sign the request, export it with the export option. See Section H.2.6.16, "orapki wallet export".

To add trusted certificates:

orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location
  • The -trusted_cert parameter causes the tool to add the trusted certificate, at the location specified with -cert, to the wallet.

To add root certificates:

orapki wallet add -wallet wallet_location -dn 
certificate_dn -keysize 512|1024|2048 -self_signed 
-valid_from [mm/dd/yyyy] -valid_until [mm/dd/yyyy]
-validity number_of_days
  • The -self_signed parameter causes the tool to create a root certificate.

  • The -validity parameter can be used to specify the number of days, starting from the current date, that this root certificate will be valid.

  • The -valid_from and valid_until parameters can be used to specify an exact date range for which this root certificate will be valid. You may specify validity in this way instead of -validity number_of_days.

To add user certificates:

orapki wallet add -wallet wallet_location -user_cert -cert certificate_location
  • The -user_cert parameter causes the tool to add the user certificate at the location specified with the -cert parameter to the wallet. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail.

To add a subject key identifier extension to a certificate request:

orapki wallet add -wallet wallet_location -dn user_dn -keysize 512|1024|2048 -addext_ski

To add a Version 3 self-signed certificate to a wallet:

orapki wallet add -wallet wallet_location -dn certificate_dn -keysize 512|1024|2048 -self_signed -validity number_of_days -addext_ski

H.2.6.13 orapki wallet change_pwd

The following sections describe this command.

H.2.6.13.1 Purpose

Use this command to change the password for an Oracle wallet.

H.2.6.13.2 Syntax
orapki wallet change_pwd [-wallet [wallet_location]] [-oldpwd oldpassword] [-newpwd newpassword]
  • The -wallet parameter specifies the location of the wallet whose password you want to change.

  • The -oldpwd parameter specifies the existing wallet password.

  • The -newpwd parameter specifies the new wallet password.

H.2.6.14 orapki wallet create

The following sections describe this command.

H.2.6.14.1 Purpose

Use this command to create an Oracle wallet or to set auto-login on for an Oracle wallet.

H.2.6.14.2 Syntax
orapki wallet create -wallet wallet_location [-auto_login]
  • The -wallet parameter specifies a location for the new wallet or the location of the wallet for which you want to turn on auto-login.

  • The -auto_login parameter creates an auto-login wallet, or it turns on automatic login for the wallet specified with the -wallet option.

H.2.6.15 orapki wallet display

The following sections describe this command.

H.2.6.15.1 Purpose

Use this command to view the certificate requests, user certificates, and trusted certificates in an Oracle wallet.

H.2.6.15.2 Syntax
orapki wallet display -wallet wallet_location
  • The -wallet parameter specifies a location for the wallet you want to open if it is not located in the current working directory.

H.2.6.16 orapki wallet export

The following sections describe this command.

H.2.6.16.1 Purpose

Use this command to export certificate requests and certificates from an Oracle wallet.

H.2.6.16.2 Syntax
orapki wallet export -wallet wallet_location -dn
certificate_dn -cert certificate_filename
  • The -wallet parameter specifies the directory where the wallet, from which you want to export the certificate, is located.

  • The -dn parameter specifies the distinguished name of the certificate.

  • The -cert parameter specifies the path and filename of the file that contains the exported certificate.

To export a certificate request from an Oracle wallet:

orapki wallet export -wallet wallet_location -dn
certificate_request_dn -request certificate_request_filename
  • The -request parameter specifies the path and filename of the file that contains the exported certificate request.

H.2.6.17 orapki wallet export_trust_chain

The following sections describe this command.

H.2.6.17.1 Purpose

Use this command to export a chain of trust (certificate chain) for a user.

H.2.6.17.2 Syntax
orapki wallet export_trust_chain [-wallet [wallet]] 
[-certchain [filename]] 
[-dn [user_cert_dn] ] 
[-pwd pwd]
  • The -wallet parameter specifies the location of the wallet from which you want to export the certificate chain.

  • The -certchain parameter specifies the name of the file to contain the exported certificate chain.

  • The -dn parameter specifies the distinguished name of the entry to be exported.

  • The -pwd specifies the wallet password.

H.3 Equivalent Features for Oracle Wallet Manager

Table H-1 shows the wallet management features provided by Oracle Wallet Manager, and the commands or options that provide equivalent functionality in 11g Release 1 (11.1.1.7).

Table H-1 Mapping for Oracle Wallet Manager Features for Wallets

Oracle Wallet Manager Feature How Implemented in 11gR1 Fusion Middleware Control Notes

Creating a standard PKCS #12 wallet

Security, then Wallets

 

Creating a PKCS#11 wallet

Not supported

Use Oracle Wallet Manager or the orapki command line tool

Opening a wallet

Security, then Wallets

Click on the wallet and enter a password, unless it is an auto-login wallet

Closing a wallet

 

Navigating to the wallets page, or opening another wallet, automatically closes the existing wallet.

Uploading a wallet to an LDAP directory

Not supported

Use the orapki command line tool

Downloading a wallet from an LDAP directory

Not supported

Use the orapki command line tool

Saving changes to an open wallet

See Notes.

Any changes made on the Manage Certificate page are automatically saved when the operation is completed.

Saving the open wallet to a new location

Security, then Wallets, then Export

 

Saving in System Default

Security, then Wallets, then Export

 

Deleting the wallet

Security, then Wallets, then Delete

 

Changing the password

Not supported

Use WLST or orapki command line tools.

Enabling auto-login

See Notes.

An Auto-login wallet is automatically created with every password protected wallet.

Disabling auto-login

Not supported

You cannot disable generation of an auto-login wallet since it is always required for runtime.


Table H-2 shows the certificate management features provided by Oracle Wallet Manager, and the equivalent commands or options in 11g Release 1 (11.1.1.7).

Table H-2 Mapping for Oracle Wallet Manager Features for Certificates

Oracle Wallet Manager Feature How Implemented in 11gR1 Fusion Middleware Control Notes

Adding a certificate request

Security, then Wallets. Select a wallet, then Add Certificate Request

 

Importing a user certificate

Security, then Wallets, select a wallet, then Import

Select User Certificate in the drop down box

Importing a trusted certificate

Security, then Wallets, select a wallet, then Import

Select Trusted Certificate in the drop down box

Remove certificate request

Security, then Wallets, select a wallet, select a certificate request, then Delete

 

Remove user certificate

Security, then Wallets, select a wallet, select a user certificate, then Delete

 

Remove trusted certificate

Security, then Wallets, select a wallet, select a trusted certificate, then Delete

 

Export user certificate

Security, then Wallets, select a wallet, select a user certificate, then Export

 

Export certificate request

Security, then Wallets, select a wallet, select a certificate request, then Export

 

Export trusted certificate

Security, then Wallets, select a wallet, select a trusted certificate, then Export

 

Export all trusted certificates

Not supported

Use WLST or orapki command-line tools

Importing a PKCS#7 certificate chain into the wallet

Not supported

Use WLST or orapki command-line tools

Exporting a PKCS#7 certificate chain from the wallet

Not supported

Use WLST or orapki command-line tools


Location of Default Wallet

The default location of the wallet depends on the ORACLE_HOME setting:

  • When ORACLE_HOME is set, the default wallet location is $ORACLE_HOME/owm/wallets/username.

  • When ORACLE_HOME is not set, the default wallet location is CurrentDir/owm/wallets/username.

H.4 Equivalent Features for orapki

Table H-3 shows the features provided by the orapki utility for Oracle wallets and CRLs, and the equivalent commands and options in 11g Release 1 (11.1.1.7).

Table H-3 Mapping for orapki Features for Wallets and CRLs

orapki Feature How Implemented in 11gR1 Notes

Creating a standard PKCS#12 wallet

WLST createWallet()

To manage a password-protected and auto-login wallet, provide a non-empty password value. To manage just an auto-login wallet, provide an empty password value (that is, '')

Creating a PKCS#11 wallet

Not supported

Use orapki command-line tool

Uploading a wallet to an LDAP Directory

Not supported

Use orapki command-line tool

Downloading a wallet from an LDAP directory

Not supported

Use orapki command-line tool

Deleting a wallet

WLST deleteWallet()

 

Changing the wallet password

WLST changeWalletPassword()

For obvious reasons, password can only be changed for a password-protected wallet

Enabling auto-login

 

Auto-login wallet is automatically created with every password-protected wallet.

Enabling auto-login wallet that works only on local machine

Not supported

Use orapki command line tool

Create, revoke, hash, verify, upload, list, display, delete CRLs

Not supported

Use orapki command line tool


Table H-4 shows the features provided by the orapki utility for certificates, and the equivalent commands or options in 11g Release 1 (11.1.1.7).

Table H-4 Mapping for orapki Features for Certificates

orapki Feature How Implemented in WLST in 11gR1 Notes

Adding a certificate request

addCertificateRequest()

 

Adding a self-signed certificate

addSelfSignedCertificate()

 

Listing all entries in a wallet

listWalletObjects()

Provide a valid value of type ("CertificateRequest", "Certificate" or "TrustedCertificate")

Importing a user certificate

importWalletObject()

Enter type as "Certificate"

Importing a trusted certificate

importWalletObject()

Enter type as "TrustedCertificate"

Removing a certificate request

removeWalletObject()

Enter type as "CertificateRequest"

Removing a user certificate

removeWalletObject()

Enter type as "Certificate"

Removing a trusted certificate

removeWalletObject()

Enter type as "TrustedCertificate"

Removing all trusted certificates

removeWalletObject()

Enter type as "TrustedAll"

Exporting a user certificate

exportKeyStoreObject()

Enter type as "Certificate"

Exporting a certificate request

exportWalletObject()

Enter type as "CertificateRequest"

Exporting a trusted certificate

exportWalletObject()

Enter type as "TrustedCertificate"

Exporting a certificate chain

exportWalletObject()

Enter type as "CertificateChain"

Importing a PKCS#7 certificate chain into the wallet

importWalletObject()

Enter type as "TrustedChain"


H.5 Equivalent Features for the SSL Configuration Tool

Table H-5 shows the features provided by the pre-11g Release 1 (11.1.1.7) SSL Configuration Tool, and the equivalent commands or options in 11g Release 1 (11.1.1.7).

Table H-5 Equivalent Features for the SSL Configuration Tool

SSL Configuration Tool SSL Configuration in 11g Release 1 (11.1.1.7)

No support for wallet management

Supports management of Oracle Wallets and Java Keystores, in addition to SSL configuration

Oracle Web Cache was the only standalone type supported for SSL

Oracle HTTP Server, Oracle Web Cache, Oracle Internet Directory, and Oracle Virtual Directory are supported for standalone SSL configuration

Provided only command line interface

Provides both command line interface (WLST) and graphical interface (Fusion Middleware Control)

Configuration file was required to run this tool. If the file was not provided, the tool prompted for values.

Configuration file is optional in the WLST command. If not provided, default values are used for SSL attributes.

Supported SSL configuration for Web tier only.

Supports SSL configuration for both Web tier and data tier.

Tool had to be run on the same physical host where component was installed.

Allows remote management of components.