Table of Contents
Advertisement
Certificate Validation with Certificate Revocation Lists
[-summary]
where issuer_name is the name of the CA who issued the CRL, the hostname
and ssl_port are for the system on which your directory is installed, and
username is the directory user who has permission to delete CRLs from the CRL
subtree. Note that this must be a directory SSL port with no authentication. See
"Uploading CRLs to Oracle Internet Directory"
on page 7-42 for more information
about this port.
Using the -summary option causes the tool to print the CRL LDAP entry that was
deleted.
For example, the following orapki command:
orapki crl delete -issuer "CN=root,C=us" -ldap machine1:3500 -user cn=orcladmin
-summary
produces the following output, which lists the location of the deleted CRL in the
directory:
Deleted CRL at cn=root
cd45860c.rN,cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext
Troubleshooting Certificate Validation
To determine whether certificates are being validated against CRLs, you can enable
Oracle Net tracing. When a revoked certificate is validated by using CRLs, then you
will see the following entries in the Oracle Net tracing file without error messages
logged between entry and exit:
nzcrlVCS_VerifyCRLSignature: entry
nzcrlVCS_VerifyCRLSignature: exit
nzcrlVCD_VerifyCRLDate: entry
nzcrlVCD_VerifyCRLDate: exit
nzcrlCCS_CheckCertStatus: entry
nzcrlCCS_CheckCertStatus: Certificate is listed in CRL
nzcrlCCS_CheckCertStatus: exit
Note that when certificate validation fails, the peer in the SSL handshake sees an
ORA-29024: Certificate Validation Failure. If this message displays,
see
"ORA-29024: Certificate Validation Failure"
on page 7-34 for information about
how to resolve the error.
Configuring Secure Sockets Layer Authentication 7-45
Advertisement
Chapters
Table of Contents
Troubleshooting
Need help?
Do you have a question about the Oracle Database B10772-01 and is the answer not in the manual?