User's Manual
Certificate Validation with Certificate Revocation Lists
Configuring Secure Sockets Layer Authentication 7-35
does not give the complete chain and you do not have the appropriate trust
points to complete it.
Action: Use Oracle Wallet Manager to install the trust points that are required
to complete the chain. See "Importing a Trusted Certificate" on page 8-25
Certificate Validation with Certificate Revocation Lists
The process of determining whether a given certificate can be used in a given
context is referred to as certificate validation. Certificate validation includes
determining that
■ A trusted certificate authority (CA) has digitally signed the certificate
■ The certificate's digital signature corresponds to the independently-calculated
hash value of the certificate itself and the certificate signer's (CA's) public key
■ The certificate has not expired
■ The certificate has not been revoked
The SSL network layer automatically performs the first three validation checks, but
you must configure certificate revocation list (CRL) checking to ensure that
certificates have not been revoked. CRLs are signed data structures that contain a
list of revoked certificates. They are usually issued and signed by the same entity
who issued the original certificate. (See certificate revocation lists)
This section contains the following topics:
■ What CRLs Should You Use?
■ How CRL Checking Works
■ Configuring Certificate Validation with Certificate Revocation Lists
■ Certificate Revocation List Management
■ Troubleshooting Certificate Validation
What CRLs Should You Use?
You should have CRLs for all of the trust points that you honor. The trust points are
the trusted certificates from a third party identity that is qualified with a level of
trust. Typically, the certificate authorities you trust are called trust points.