Manualshelf

Corporation Network Router User Manual

ManualsBrandsOracle ManualsNetwork RouterOracle Database B10772-01
171172173174175176177178179180
Public Key Infrastructure in an Oracle Environment
Conguring Secure Sockets Layer Authentication 7-7
A certificate contains the entity's name, public key, and an expiration date—as well
as a serial number and certificate chain information. It can also contain information
about the privileges associated with the certificate.
When a network entity receives a certificate, it verifies that it is a trusted certificate,
that is, one that has been issued and signed by a trusted certificate authority. A
certificate remains valid until it expires or until it is revoked.
Certificate Revocation Lists
Typically, when a CA signs a certificate binding a public key pair to a user identity,
the certificate is valid for a specified period of time. However, certain events, such
as user name changes or compromised private keys, can render a certificate invalid
before the validity periodexpires. Whenthis happens, theCA revokes the certificate
and adds its serial number to a Certificate Revocation List (CRL). CAs periodically
publish CRLs to alert the user population when it is no longer acceptable to use a
particular public key to verify its associated user identity.
When servers or clients receive user certificates in an Oracle environment, they can
validate the certificate by checking its expiration date, signature, and revocation
status. Certificate revocation status is checked by validating it against published
CRLs. If certificate revocation status checking is turned on, then the server searches
for the appropriate CRL depending on how this feature has been configured. The
server searches for CRLs in the following locations:
1. Local file system
2. Oracle Internet Directory
3. CRL Distribution Point, a location specified in the CRL Distribution Point
(CRL DP) X.509, version 3, certificate extension when the certificate is issued.
See Also: "Certificate Validation with Certificate Revocation
Lists" on page 7-35 for information about configuring and
managing this PKI component
Note: To use CRLs withother Oracle products, refer to the specific
product documentation. This implementation of certificate
validation with CRLs is only available in the Oracle Database 10g
Release 1 (10.1) SSL adapter.