Oracle Database B10772-01 Administrator's Manual page 212

Certificate Validation with Certificate Revocation Lists
Oracle Net Tracing File Error Messages Associated with Certificate Validation
The following trace messages, relevant to certificate validation, may be logged
between the entry and exit entries in the Oracle Net tracing file. Oracle SSL looks
for CRLs in multiple locations, so there may be multiple errors in the trace.
Check the following list of possible error messages for information about how to
resolve them.
CRL signature verification failed with RSA status
CRL date verification failed with RSA status
CRL could not be found
7-46 Oracle Database Advanced Security Administrator's Guide
Oracle Net Services Administrator's Guide for information
See Also:
about setting tracing parameters to enable Oracle Net tracing
Cause: The CRL signature cannot be verified.
Action: Ensure that the downloaded CRL is issued by the peer's CA and that
the CRL was not corrupted when it was downloaded. Note that the orapki
utility verifies the CRL before renaming it with a hash value or before
uploading it to the directory. See
page 7-40 for information about using orapki for CRL management.
Cause: The current time is later than the time listed in the next update field.
You should not see this error if CRL DP is used. The systems searches for the
CRL in the following order:
File system
1.
Oracle Internet Directory
2.
CRL DP
3.
The first CRL found in this search may not be the latest.
Action: Update the CRL with the most recent copy.
Cause: The CRL could not be found at the configured locations. This will
return error ORA-29024 if the configuration specifies that certificate validation
is require.
Action: Ensure that the CRL locations specified in the configuration are correct
by performing the following steps:
Use Oracle Net Manager to check if the correct CRL location is configured.
1.
See "Configuring Certificate Validation with Certificate Revocation Lists"
page 7-37
"Certificate Revocation List Management" on
on