Table of Contents
Advertisement
CRLs must be updated at regular intervals (before they
Note:
expire) for successful validation. You can automate this task by
using orapki commands in a script.
You can also use LDAP command-line tools to manage CRLs in Oracle Internet
Directory.
Appendix A, "Syntax for Command-Line Tools" in
See Also:
Oracle Internet Directory Application Developer's Guide for
information about LDAP command-line tools and their syntax.
Displaying orapki Help
You can display all the orapki commands that are available for managing CRLs by
entering the following at the command line:
orapki crl help
This command displays all available CRL management commands and their
options.
Using the -summary, -complete, or -wallet command
Note:
options is always optional. A command will still run if these
command options are not specified.
Renaming CRLs with a Hash Value for Certificate Validation
When the system validates a certificate, it must locate the CRL issued by the CA
who created the certificate. The system locates the appropriate CRL by matching the
issuer name in the certificate with the issuer name in the CRL.
When you specify a CRL storage location for the Certificate Revocation Lists Path
field in Oracle Net Manager (sets the SSL_CRL_PATH parameter in the
sqlnet.ora file), use the orapki utility to rename CRLs with a hash value that
represents the issuer's name. Creating the hash value enables the server to load the
CRLs.
On UNIX operating systems, orapki creates a symbolic link to the CRL. On
Windows operating systems, it creates a copy of the CRL file. In either case, the
symbolic link or the copy created by orapki are named with a hash value of the
Certificate Validation with Certificate Revocation Lists
Configuring Secure Sockets Layer Authentication 7-41
Advertisement
Chapters
Table of Contents
Troubleshooting
Need help?
Do you have a question about the Oracle Database B10772-01 and is the answer not in the manual?