Configure certificate authority overrides

Before you begin

Enable certificate revocation checking. For information, see Enable certificate revocation checking in a domain and X.509 Certificate Revocation Checking.
If you Enable automatic realm restart in the default security realm, you do not need to restart WebLogic Server after activating certificate authority override configuration changes as described in this topic.

Configuring a certificate authority override allow you to specify CR checking behavior that is specific to certificates issued by a particular certificate authority (CA). A certificate authority override always supersedes the corresponding domain-wide CR checking configuration that is set.

A certificate authority override can be used to supersede, for a given CA, any domain-wide CR checking configuration settings, with the exception of the CRL local cache, which is configured on a domain-wide basis only.

To configure a certificate authority override for a CA:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane of the Console, under Domain Structure, select the domain name.
Select Security > SSL Certificate Revocation Checking > Certificate Authority Overrides and click New.
The Create a New Certificate Revocation Checking Certificate Authority Override page is displayed.
In the Name field, enter a unique, short name for the override.
For example, if the CA Subject Name is CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US, this unique name could consist of the value of the common name (CN); that is, CertGenCAB.
In the Distinguished Name field, enter the distinguished name of the CA. For example, CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US.
Click Finish.
In the Settings for domain-name page, select Security > SSL Certificate Revocation Checking > Certificate Authority Overrides and click the name of the certificate authority to configure the override.
The Settings for certificate-authority-name page is displayed.
Select Configuration > General and set one or more of the following override properties, as appropriate, then click Save.
- If you do not want the revocation status of certificates issued by this CA to be checked as part of the SSL certificate path validation process, select the Disable Revocation Checking For This Certificate Authority check box
- To change the CR checking method or order, select the desired one from Revocation Checks.
- If you want WebLogic Server to fail SSL certificate path validation for any certificates issued by this CA that have an unknown or undetermined revocation status, select the Fail On Unknown Revocation Status check box .
Select Configuration > OCSP and set one of the following OCSP override properties for this CA, as appropriate:
- Change the current setting of Enable Nonce to override the domain-wide setting.
- Change the current setting of Enable Response Cache to override the domain-wide setting.
Click Advanced and set one or more of the following additional OCSP override properties for this CA, as appropriate:
- Specify a Response Timeout (seconds) to limit the wait time for OCSP responses for certificates issued by this CA.
- Specify a Time Tolerance (seconds) to handle clock-skew differences between WebLogic Server and the OCSP responder,
- Specify a Responder URL to be used for either failover (if the OCSP responder URI from the certificate AIA value is not available or not acceptable) or for override (to be always used as the responder URL).
- Select the Usage for the Responder URL: failover or override.
- Specify OCSP Responder Explicit Trust Method settings for this CA override, as appropriate. By default, OCSP Responder Explicit Trust Model is disabled. In this model, you can supply an additional trusted certificate that may be used to verify the OCSP response signature. The Explicit Trust Model may be used for OCSP responders that are trusted, but that are not authorized to sign OCSP responses on behalf of issuers.
See Configuring OCSP Certificate Authority Overrides for more information about OCSP properties you can specify in a CA override.
Click Save if you have specified any OCSP override properties.
Select Configuration > CRL and set one or more of the following CRL override properties for this CA, as appropriate:
- Change the selection of Enable Updates From Distribution Points to override the domain-wide CRL configuration.
- Click Advanced and change the CRL Distribution Point URL to be used for either failover (if the URL from the CRLDistributionPoints extension in the certificate is unavailable) or for override (to be always used as the distribution point URL). Select the Usage for this CRL distribution point URL (failover or override), and specify a Download Timeout (seconds).
See Configuring CRL Certificate Authority Overrides for more information about CRL properties you can specify in a CA override.
Click Save if you have specified any CRL override properties.
In the Change Center, click Activate Changes. If automatic realm restart is enabled in the default realm, you do not need to restart WebLogic Server for changes to go into effect.

Administration Console Online Help

Configure certificate authority overrides