||Oracle Tips by Burleson
Oracle 10g Certificate Validation with Certificate
Revocation Lists (CRLs)
Certificate validation is an important element of
enabling public key infrastructure (PKI) in an enterprise. If you
use SSL in an Oracle environment, you can now validate the
certificates presented by servers and clients for authentication.
First off though, what the heck is a CRL?
Certificate Revocation Lists
Typically, a certificate from a Certificate
Authority (CA) that binds a public key pair to a user identity is
only valid for a specified period of time. However, certain
security-related events, such as user name changes or compromised
private keys, could render a certificate invalid before the validity
period actually expires.
If this happens, the CA will revoke the
certificate and add its serial number to a Certificate Revocation
List (CRL). CAs will periodically publish CRLs to alert the user
population of their certificates when it is no longer acceptable to
use a particular public key to verify its associated user identity.
When servers in an Oracle environment receive
client certificates, they check its validity date, signature, and
revocation status. As you can guess, the certificate revocation
status is checked by validating it against published CRL lists. When
certificate revocation status checking is turned on in Oracle
Database 10g, the server will search for the appropriate CRL
depending on how this feature has been configured. The server will
search for CRLs in the following locations:
When the CRL cannot be found on the local file
system, the server searches the CRL directory subtree in the Oracle
Internet Directory by using the CA’s distinguished name (DN) and the
DN of the CRL Directory subtree.
Get the complete story:
To get the code instantly, click here:
Need an Oracle Mentor?
BEI is now offering personal mentors for Oracle DBAs where you can have an
Oracle expert right at your fingertips, anytime day or night. We work with
hundreds of Oracle databases every year, so we know exactly how to quickly
assist you with any Oracle question.
Why risk an unplanned outage? You can now get telephone access to Don
Burleson or any of his Oracle Certified DBAs with more than 20 years of
full-time IT experience. Click here for details: