About Windows Public Key Infrastructure

Learn about Windows public key infrastructure.

Describes Windows public key infrastructure.

Note:

Microsoft Certificate Store integration works only with digital certificates that use Microsoft Enhanced Cryptographic Provider. To create these certificates, you must install Windows High Encryption Pack and select Microsoft Enhanced Cryptographic Provider. Also, when there are multiple certificates available for the same key usage (signature/key exchange), the first certificate retrieved is used for Oracle SSL.

• About Microsoft Certificate Stores
  Microsoft Certificate Stores are repositories for storing digital certificates and their associated properties.
• About Microsoft Certificate Services
  Learn about Microsoft Certificate Services (MCS) and its associated modules.
• Using Microsoft Certificate Stores with Oracle PKI Applications
  Wallet Resource Locator (WRL) specifies that parameter WALLET_LOCATN in file sqlnet.ora identifies a particular PKI.

About Microsoft Certificate Stores

Microsoft Certificate Stores are repositories for storing digital certificates and their associated properties.

Windows operating systems store digital certificates and certificate revocation lists in logical and physical stores. Logical stores contain pointers to public key objects in physical stores. Logical stores enable public key objects to be shared between users, computers, and services without requiring storage of duplicates of objects for each user, computer, or services. Public key objects are physically stored in the certificate authority of the local computer or, for some user certificates, in Active Directory. Standard system certificate stores defined by Microsoft include:

• MY or Personal

• CA

• ROOT

MY or Personal holds a user's certificates for which the associated private key is available. The MY certificate store maintains certificate properties that indicate the Cryptographic Service Provider (CSP) associated with the private key. An application uses this information to obtain the private key from the CSP for the associated certificate. CA holds issuing or intermediate certificate authority (CA) certificates. ROOT holds only self-signed CA certificates for trusted root CAs.

About Microsoft Certificate Services

Learn about Microsoft Certificate Services (MCS) and its associated modules.

Microsoft Certificate Services (MCS) consists of the following modules:

• Server Engine

• Intermediary

• Policy

Server Engine handles all certificate requests. It interacts with other modules at each processing stage to ensure that the proper action is taken based on the state of the request. The Intermediary module receives requests for new certificate from clients and then submits them to Server Engine. The Policy module contains the set of rules controlling the issuance of certificates. This module may be upgraded or customized as needed.

Using Microsoft Certificate Stores with Oracle PKI Applications

Wallet Resource Locator (WRL) specifies that parameter WALLET_LOCATN in file sqlnet.ora identifies a particular PKI.

You can choose between using Oracle Wallet or Microsoft Certificate Stores by setting parameter WALLET_LOCATN in sqlnet.ora. To use credentials from Microsoft Certificate Stores, set parameter WALLET_LOCATN in sqlnet.ora to:

WALLET_LOCATN = (SOURCE = (METHOD=MCS))

The Oracle application uses Oracle's TCP/IP with SSL protocol (TCPS) to connect to Oracle Server. The SSL protocol uses X.509 certificates and trust points from the user's Microsoft Certificate Store for SSL authentication.