Certificate Validation Options

To supplement the SSL and S/MIME email security settings, B2C Service provides you with the resources for managing the validation and revocation of certificates. These resources are accessed using the File Manager.

• Trusted certification authorities—Service uses a predefined list of trusted certification authorities for verifying certificates from POP3 servers and S/MIME email senders. This list contains well-known root certification authorities. Depending on your organization’s circumstances, you may want to add or remove trusted certification authorities.
• Certification revocation lists—Certification authorities regularly publish certificate revocation lists, which you can use to check the validity of certificates. If you upload any lists, certificate revocation checking is automatically enabled. As a result, all root certification authority certificates that are used, in either SSL connections or email certificates, must have a corresponding certificate revocation list. If there is no corresponding list, the certification check fails.
• Intermediate certificates—Some certificates that are not defined as trusted root certificates still need to be stored in order to verify a customer’s certificate, that is, the one that was used to sign the customer’s S/MIME email. These are called intermediate certificates and are automatically extracted from emails, requiring no intervention on your part. You can also upload intermediate certificates if, for example, you receive signed emails without the necessary intermediate certificate embedded in them.

Additionally, the configuration setting, USE_KNOWN_ROOT_CAS (Common/General/Single Sign-On), controls whether the known root certificate authorities list that is embedded within the Oracle server is consulted when verifying X509 certificates. For example, when checking S/MIME email or SAML 2.0 signatures.