User's Manual
Certificate Validation with Certificate Revocation Lists
Configuring Secure Sockets Layer Authentication 7-41
You can also use LDAP command-line tools to manage CRLs in Oracle Internet
Directory.
Displaying orapki Help
You can display all the orapki commands that are available for managing CRLs by
entering the following at the command line:
orapki crl help
This command displays all available CRL management commands and their
options.
Renaming CRLs with a Hash Value for Certificate Validation
When the system validates a certificate, it must locate the CRL issued by the CA
who created the certificate. The system locates the appropriate CRL by matching the
issuer name in the certificate with the issuer name in the CRL.
When you specify a CRL storage location for the Certificate Revocation Lists Path
field in Oracle Net Manager (sets the SSL_CRL_PATH parameter in the
sqlnet.ora file), use the orapki utility to rename CRLs with a hash value that
represents the issuer's name. Creating the hash value enables the server to load the
CRLs.
On UNIX operating systems, orapki creates a symbolic link to the CRL. On
Windows operating systems, it creates a copy of the CRL file. In either case, the
symbolic link or the copy created by orapki are named with a hash value of the
Note: CRLs must be updated at regular intervals (before they
expire) for successful validation. You can automate this task by
using orapki commands in a script.
See Also: Appendix A, "Syntax for Command-Line Tools" in
Oracle Internet Directory Application Developer's Guide for
information about LDAP command-line tools and their syntax.
Note: Using the -summary, -complete, or -wallet command
options is always optional. A command will still run if these
command options are not specified.