Oracle® Application Server Certificate Authority Administrator's Guide
10g Release 2 (10.1.2) B14080-02 |
|
Previous |
Next |
This appendix lists and describes the various windows, fields, and control devices in the Oracle Application Server Certificate Authority Web interface. It contains these sections:
This section lists and describes the windows and fields in the Web administrative interface.
Use this page to enroll as a Web administrator if you know your full distinguished name (DN)--if it already exists--and understand how to enter it in LDIF format. This feature is a shortcut for the Distinguished Name Information heading on the Web Administrator Enrollment page, where it appears as the link Advanced DN. The DN is the location of your user entry in Oracle Internet Directory. Oracle Application Server Certificate Authority stores your certificate in and retrieves it from your directory entry.
For enrollment instructions, see Requesting the Administrator Certificate.
Use the Advanced screen to narrow or refine your search for certificate requests or existing certificates. The Advanced screen offers the following five search methods:
Search Certificate Requests Using Request Status
Choose from three certificate search categories: Pending, Rejected, and Certified. You must use this option to search for rejected certificates
Search Using Distinguished Name (DN)
Choose Certificate or Certificate Request from the Search list to specify certificate holders or certificate requesters. Enter the components of the certificate holder's or certificate requester's distinguished name. All fields are optional.
Search Using Advanced Distinguished Name
Choose this option if you know the certificate requester or certificate holder's full DN and understand how to enter it in LDIF format. In the following example, note that spaces between attributes are optional:
cn=Margarita Redmond,ou=sales,o=yourcorp,l=Bismarck,st=SD,c=US
Search Using Serial Number/Request ID Range
Choose this option to retrieve information about certificates that fall within a given range. Use the Certificate list to toggle between requested certificates and existing certificates. Both serial number fields are mandatory.
Search Certificates Using Certificate Status
Choose from three certificate status categories: Valid, Revoked, or Expired.
To learn how to search using these methods, please see the Advanced Search Screen.
Use this page to obtain a complete description of a certificate, including its BASE64 encoding. The non modifiable fields on this page are as follows:
Field | Description |
---|---|
Status | This value is VALID, REVOKED , or EXPIRED
|
Serial Number | The certificate's serial number assigned by Oracle Application Server Certificate Authority. |
Signature Algorithm | The algorithm used, such as MD5 with RSA encryption, which is indicated by the object identification number (OID). |
Usage | The certificate function. |
Issuing Authority | The CA that issued the certificate. |
Subject DN | Distinguished name of the certificate holder. |
Not Valid Before | Date and time certificate became valid. |
Not Valid After | Date and time certificate expires. |
BASE64-Encoded Certificate with CA certificate chain in PKCS#7 format | The encoded certificate plus its tree of trusted authorities, in PKCS#7 format. This form allows a single operation to transport all certificates in the trusted chain up through the root CA certificate. |
BASE64 Encoded Certificate | The encoded certificate. |
Choose one of the buttons located at the bottom of the page to perform your desired task:
Button Name | Description |
---|---|
OK | Returns you to the main certificate management page. |
Revoke | Revokes the certificate. You must specify a revocation reason. |
Renew | Renews the certificate. You must specify a new validity period. |
Install in Browser | Installs the certificate into your browser. |
Use this page to reject a manual certificate request. You reject the request by choosing Submit. Choosing Cancel returns you to the Requests page.
The page contains nonmodifiable fields that constitute a profile of the certificate requester. A description of these fields follows:
Field | Description |
---|---|
Status | This value is always PENDING .
|
Certificate Type | This value is client , server , or ca (certificate authority)
|
Certificate Usage | The certificate function (SSL Client, Signing, or other) |
Serial Number | The serial number used to reference the certificate request. OracleAS Certificate Authority assigns a new value when you approve a certificate request. |
Subject DN | The distinguished name (DN) of the requester. The DN is the location of the requester's user entry in Oracle Internet Directory. |
Request Date | The date and time that the user entered the request on the manual request form. |
Algorithm | The algorithm used to encrypt the certificate. |
Exponent | The public key exponent. The larger this number is, the longer clients take to encrypt messages. |
|
|
Please see Certificate Request Rejection to learn how to perform this task.
Use this page to approve or reject a certificate request (by clicking either Approve or Reject). Choosing Cancel returns you to the Requests page.
This page displays details of the certificate request and lets you enable or edit the following features and fields:
Apply policy check while approving a certificate request
If policy checking is disabled (unchecked), then policy rules are not applied to the certificate request. This is useful when issuing special certificates that do not conform to policy rules.
Subject (Requester)
Administrators can edit the DN if users have entered it incorrectly.
Validity
Administrators can change the validity period before approving certificate requests.
The read-only Certificate Request Information fields are described as follows:
Field | Description |
---|---|
Status | This value is always PENDING .
|
Certificate Type | This value is either client or server .
|
Certificate Usage | This is one of eight values: Authentication; Encryption; Signing; Authentication and Encryption; Authentication and Signing; Encryption and Signing; Authentication, Encryption, and Signing; or Code Signing. |
Serial Number | The serial number used to reference the certificate request when it is pending or once it has been granted. Oracle Application Server Certificate Authority assigns a new value when you approve a certificate request. |
Subject DN | The distinguished name (DN) of the requester. The DN is the location of the requester's user entry in Oracle Internet Directory. |
Request Date | The date and time that the user entered the request on the manual request form. |
Algorithm | The algorithm used to encrypt the certificate and the exponent. |
Exponent | The public key exponent. The larger this number is, the longer clients take to encrypt messages. |
|
|
Please see Approving or Rejecting Certificate Requests to learn how to perform this task.
The Requests page displays a table listing all pending certificate requests that require administrator attention.
Use the buttons on this page to perform the following tasks:
Search for and List Certificates and Certificate Requests
Update the Certificate Revocation List
To perform one of the following tasks, select a request and click View Details:
Approve Certificate Requests
Reject Certificate Requests
Revoke Certificates
Click a link to learn about a task.
The default policy plug-ins shipped with Oracle Application Server Certificate Authority are generic. You may need to enhance the default policy framework to suit your organization by writing custom policy plug-ins. Application programming interfaces (APIs) are provided to get information about certificate requests, certificates, and other generic functions. Adding a policy is also referred to as registering a policy with Oracle Application Server Certificate Authority.
To add a custom policy:
Write a Java class that implements the OCACustomPolicyPlugin interface.
See the oracle.security.oca.policy package in the Javadoc provided with the documentation for descriptions of the classes and methods provided in OCACustomPolicyPlugin.
See Developing a Custom Policy Plug-in for information about writing a custom policy Java class
Package your custom policy Java class into a .jar
file and place it in the following location, depending on your platform:
$ORACLE_HOME/oca/policy
(UNIX)
ORACLE_BASE\ORACLE_HOME\oca\policy
(Windows)
If the policy subdirectory does not exist, then create it.
To register your custom policy with Oracle Application Server Certificate Authority, log in to the Web administrative interface.
On the main Policy page of the Configuration Management tab, select the Operation type for the custom policy you want to add and click Go. The Policy Rules page for that Operation appears.
On the Policy Rules page for the Operation type you selected, click Add, which is located on the right most side of the page. The Custom Policy Details page appears.
On the Custom Policy Details page, enter the information for your custom policy into the provided fields. The following describes the type of information each field requires:
Name: The name of your customer policy. For example, AuditCertDetails.
Description: A description of what your custom policy does.
Class: The name of the Java class that implements your custom policy. See Steps 1 and 2.
Check Enable this policy to activate the custom policy and click OK. A message appears confirming that a new policy has been added.
Check that the policy precedence is what you want for this policy. See Policy Actions for details on reordering policy precedence.
Restart the Oracle Application Server Certificate Authority server for your custom policy to take effect. See Starting and Stopping Oracle Application Server Certificate Authority.
See Policy Actions for the following topics:
Viewing Policies
Editing Policies
Enabling Policies
Disabling Policies
Deleting Policies
Reordering Policy Precedence
Policy Management
Use this page to set the default values and restrictions for the RenewalRequestConstraint policy. This policy applies to client or server/sub ca certificate renewal requests and restricts whether expired certificates can be renewed. It can be applied to SSL users.
You can modify the following default values and restrictions for this policy:
Parameter | Default Value | Description |
---|---|---|
Allow Renewal | Checked (TRUE) | Specifies whether certificates can be renewed. When it is checked (TRUE), certificates can be renewed. |
Days before expiration date | 15 days | Specifies how many days before a certificate's expiration it can be renewed. If you specify 0 (zero), then certificates cannot be renewed before their expiration date. If you specify * (asterisk), then certificates can be renewed anytime before their expiration date. |
Days after expiration date | 15 days | Specifies how many days after a certificate's expiration it can be renewed. If you specify 0 (zero), then certificates cannot be renewed after their expiration date. If you specify * (asterisk), then certificates can be renewed anytime after their expiration date. |
Duration of renewal (days) | 365 days | Specifies how long renewed certificates are valid. |
Predicate expressions are optional, altering application of this policy when an incoming request matches a predicate expression specified here. A policy with no predicates applies to all incoming requests. For example, the following predicate expression specifies that all client renewal requests coming from the Acme Company marketing department that is located in Japan (ou=marketing,o=acme,c=japan) are subject to the parameter settings chosen for this predicate:
Type=="client" AND DN=="ou=marketing,o=acme,c=japan"
For detailed information about predicate expression syntax, see "Predicates in Policy Rules".
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters and predicates to their previous values. |
Apply | Click this button to apply any changes made to this page. |
Cancel | Click this button to cancel any changes made to this page and return to the main Policy page. |
OK | Click this button to return to the main Policy page. Any changes made to this page are automatically saved. |
See Predicates in Policy Rules for the following topics:
Editing Policies
Adding Predicates to Policy Rules
Reordering Predicate Precedence in Policy Rules
Deleting Predicates from Policy Rules
Use this page to specify whether expired certificates can be revoked. Note: When enabled, this policy applies to all certificate revocation requests from both clients and servers. To provide different limits for certificate revocation requests from particular DNs, use predicates as described in the following section.
You can modify the following parameters and restrictions for this policy:
allow revocation of expired certificates
Check this parameter to turn it on. When checked, expired certificates can be revoked, and when unchecked they cannot. By default this parameter is checked.
Predicate expressions are optional, altering application of this policy when an incoming request matches a predicate expression. A policy with no predicates applies to all requests. For example, the following predicate expression specifies that client certificates from the United Kingdom Acme Company sales department (ou=sales,o=acme,c=uk) are subject to the parameter setting chosen for this predicate:
Type=="client" AND DN=="ou=sales,o=acme,c=uk"
For detailed information about predicate expression syntax, see "Predicates in Policy Rules".
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters and predicates to their previous values. |
Apply | Click this button to apply any changes made to this page. |
Cancel | Click this button to cancel any changes made to this page and return to the main Policy page. |
OK | Click this button to return to the main Policy page. Any changes made to this page are automatically saved. |
See Predicates in Policy Rules for the following topics:
Editing Policies
Adding Predicates to Policy Rules
Reordering Predicate Precedence in Policy Rules
Deleting Predicates from Policy Rules
Use this page to set the default values and restrictions for the RSAKeyConstraints policy. This policy specifies the minimum and maximum values for the length, in bits, of a public or private key. The drop-down lists show the selectable choices for certificate requests that do not meet any specified predicates. The corresponding limits for certificate requests that do meet a specified predicate are shown on the same line as that predicate.
Note: When enabled, the default values for this policy apply to all certificate requests from both clients and servers. To provide different limits for certificate requests from particular DNs or for particular certificate types or usages, use predicates as described in the following section. |
You can modify the following default values and restrictions for this policy:
Parameter | Default Value | Description |
---|---|---|
maxsize Default Value | 2048 | Maximum key length |
minsize Default Value | 1024 | Minimum key length. Use this parameter to ensure a minimum level of security. |
Predicate expressions are optional, altering application of this policy when an incoming request matches a predicate expression. A policy with no predicates applies to all requests. For example, the following predicate expression requires that client SSL certificate requests use the key lengths specified with this predicate:
OCMCert.Type=="client" AND OCMCert.Usage=="ssl"
For detailed information about predicate expression syntax, see "Predicates in Policy Rules".
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters and predicates to their previous values. |
Apply | Click this button to apply any changes made to this page. |
Cancel | Click this button to cancel any changes made to this page and return to the main Policy page. |
OK | Click this button to return to the main Policy page. Any changes made to this page are automatically saved. |
See Predicates in Policy Rules for the following topics:
Editing Policies
Adding Predicates to Policy Rules
Reordering Predicate Precedence in Policy Rules
Deleting Predicates from Policy Rules
Use this page to enable or disable the TrustPointDNCustomRule policy, an example of a custom plug-in policy you can develop by using the application programming interfaces (APIs) that OracleAS Certificate Authority provides. See "Developing a Custom Policy Plug-in" for more information.
When enabled, the TrustPointDNCustomRule policy checks the DN in every certificate request against all of the CA and subCA certificates' DNs in the certificate chain. If the DN specified in the certificate request matches any CA's DN, then OracleAS Certificate Authority rejects the request. (The certificate chain is an ordered list of certificates containing an end entity certificate and its corresponding CA certificates.)
Related Topic
Use this page to enable and set the default values and restrictions for the UniqueCertificateConstraints policy, which limits each user to a single certificate for each specific usage or allows a user to have multiple certificates for each usage. If enabled, this policy verifies whether there are certificates in the repository that match the subject DN of the incoming certificate request. If a certificate with a matching DN is found and Allow multiple certificates is unchecked (FALSE), then the server also verifies whether certificate usage is the same. If a certificate with the same usage is found, then OracleAS Certificate Authority will not issue another certificate with the same usage to the same subject DN.
You can modify the following parameters and restrictions for this policy:
Parameter Details
Allow multiple certificates Default Value
If this parameter is checked (TRUE), then OracleAS Certificate Authority will issue a certificate although there may be multiple certificates with the same subject DN and the same usage. If this parameter is left unchecked (FALSE), then the server will not issue multiple certificates with the same usage to the same subject DN.
Predicate Details
Predicate expressions are optional, altering application of this policy when an incoming request matches a predicate expression. A policy with no predicates applies to all requests. For example, the following predicate expression specifies that client certificate requests from the Acme Company's accounts payable department, located in Trenton, New Jersey, USA (ou=acct_pay,loc=trenton,o=acme,c=us) can get multiple certificates for the same DN and usage:
Type=="client" AND DN=="ou=acct_pay,loc=trenton,o=acme,c=us"
Allow multiple certificates value set to TRUE.
For detailed information about predicate expression syntax, see "Predicates in Policy Rules".
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters and predicates to their previous values. |
Apply | Click this button to apply any changes made to this page. |
Cancel | Click this button to cancel any changes made to this page and return to the main Policy page. |
OK | Click this button to return to the main Policy page. Any changes made to this page are automatically saved. |
Related Topics
Use this page to set the default values and restrictions for the ValidityRule policy, which enforces a maximum and minimum period of time that manually authenticated requests can specify for certificate validity. For example, if the default maximum validity period is set to 1825 days (5 years) and a certificate request asks for a 3650 day (10 year) validity period, then this policy will reject this request. All values must be specified in days for this parameter.
For SSL or OracleAS Single Sign-On (SSO) authenticated users, you can set the Default Validity period parameter, which automatically populates for those type of requests.
Note: When enabled, this policy applies to all certificate requests from both clients and servers. To provide different limits for certificate requests from particularDNs use predicates as described in the following section.
You can modify the following parameters and restrictions for this policy:
Parameter Details
Parameter | Default Value | Description |
---|---|---|
Maximum Validity period | 3650 | The maximum period in days that certificates are valid. |
Minimum Validity period | 90 | The minimum period in days that certificates are valid. |
Default Validity period | 365 | The validity period in days for SSO or SSL authenticated certificate requests. |
Predicate Details
Predicate expressions are optional, altering application of this policy when an incoming request matches a predicate expression. A policy with no predicates applies to all requests. For example, the following predicate expression specifies that client SSL certificate requests use the maximum and minimum validity periods selected with this predicate:
Type=="client" AND Usage=="ssl"
For detailed information about predicate expression syntax, see "Predicates in Policy Rules".
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters and predicates to their previous values. |
Apply | Click this button to apply any changes made to this page. |
Cancel | Click this button to cancel any changes made to this page and return to the main Policy page. |
OK | Click this button to return to the main Policy page. Any changes made to this page are automatically saved. |
Related Topics
Use the General page of the Configuration Management tab to view database and directory information, enable publishing certificates to the directory, enable logging and tracing, and to specify default values for distinguished name (DN) components.
You can view or configure the following parameters:
Certificate Publishing
When "Publish" is checked, OracleAS Certificate Authority automatically stores certificates in the directory when they are issued, and automatically deletes them when revoked. OracleAS Certificate Authority connects to the directory using SSL.
SSL and SSO Authentication
By default, users who are authenticated by SSL or OracleAS Single Sign-On can automatically issue, revoke, or renew their own certificates. You can disable this feature by unchecking Enable SSL Authentication or Enable SSO Authentication.
Default usage for client certificates
The value you choose here appears as the selected usage when a client requests a certificate. This does not prevent the user from selecting a different usage from the drop-down list, which includes authentication, encryption, signing, and combinations of these, plus CA signing, and code signing.
Subject Alternate Name Extension
For SSO users, the value chosen for this extension appears in the certificate to enable e-mail encryption, signing, or use by other applications. Your choices are shown in Extension Content Choice.
Extension Content Choice
Choose from None, Email, Principal Name (UID), or Email/Principal Name (UID). The choice made here appears in the certificate as the subject alternate name, enabling e-mail encryption, signing, or use by other applications. (UID means user identifier or unique identifier.) Choosing "Email/Principal Name (UID)" causes both to be listed in the certificate.
Mandatory
If this box is checked, the Subject Alternate Name Extension is required for all SSO-authenticated certificates. If an e-mail address or Principal Name cannot be found in Oracle Internet Directory for the user named in an SSO-authenticated certificate request, that request will be denied. An error message will state that an SSO-authenticated certificate could not be issued because an e-mail account was not found in the Oracle Internet Directory, and that the requestor should contact the administrator.
Logging and Tracing
Allows you to enable logging or tracing. OracleAS Certificate Authority server logs error information for all components it manages. By default, logging is enabled.
Choose Enable Logging to write system events and error messages to the Certificate Authority log table, viewable from the View Logs tab of the administrator web interface.
Choose Enable Tracing to record debugging messages for Oracle Support to ORACLE_HOME/oca/logs/admin.trc
(for tracing command line actions) and ORACLE_HOME/oca/logs/oca.trc
(for tracing web actions). This information is not intended for administrator use.
Default Base DN Components
If most of the DNs specified in enrollment requests have identical components (except the unique identifier component), then you can specify them here. Then manual enrollment request form fields generated by OracleAS Certificate Authority will pre populate with these default components, which users can overwrite if necessary. All fields are optional.
Database Settings
Displays the database connect string used to connect to the OracleAS Certificate Authority repository. This field is read-only.
In this section, you can also specify settings for the Database Pool Size and Database Pool Scheme, as follows:
Database Pool Size: Enter here the number of connections to the database (default: 10) that represents your expectation of how many users will be accessing OracleAS Certificate Authority concurrently. When a user in that first group exits OracleAS Certificate Authority, his connection becomes available to the next new user. For each user beyond that number, a new connection will be opened, to be closed as soon as that user has exited OracleAS Certificate Authority.
Database Pool Scheme: The default, "Fixed wait scheme", means that after 10 (the default pool size, or the number you specify) users are connected to OracleAS Certificate Authority, every subsequent user attempting to connect simply waits until one of the original 10 exits. The "dynamic" choice causes a new connection to be opened immediately for the new user, and after that user exits OracleAS Certificate Authority, that connection is closed. "Fixed Increment" means that after the original pool size limit is reached, a new connection is opened for each new user, up to a secondary limit, after which no new user can connect until an existing OracleAS Certificate Authority user exits.
Directory Settings
Displays directory host machine, listener port, and the bind DN that has privileges on the directory host port (the OracleAS Certificate Authority LDAP agent that publishes users' certificates to Oracle Internet Directory). All fields are read-only.
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters to their previous values. |
Cancel | Click this button to cancel any changes made to this page and return to the main Configuration Management page (Notification). |
OK | Click this button to save any changes made to this page. A message confirming that the configuration file was updated appears at the top of the screen. Restart the server as described in Starting and Stopping Oracle Application Server Certificate Authority for the changes to take effect. |
Related Topics
Logging and Tracing in Configuration Management -- General
Setting the Default Base DN Components in Configuration Management -- General
Use the Notification page of the Configuration Management tab to configure e-mail server host name and e-mail templates for automatic notifications. You can also use this page to enable administrator alerts, schedule timed jobs to automatically generate CRLs (Certificate Revocation Lists), and to synchronize OracleAS Certificate Authority with the directory.
Notifications are sent to users after OracleAS Certificate Authority processing events, such as certificate requests, revocations, or renewals. Alerts are sent to administrators for events like CRL generation failure, or when the pending request queue size is greater than the specified threshold.
You can configure the following parameters:
Mail Details
Use this region to specify your outgoing e-mail (SMTP) server host name, the administrator's name and e-mail address to display on notification e-mails, and the e-mail address to which administrator alerts should be sent. You can also enable secure MIME protocol use and e-mail message body templates, as explained in "Email Templates".
Note: The e-mails sent by OracleAS Certificate Authority are signed using the server's S/MIME wallet, which is stored in ORACLE_HOME/oca/wallet/smime
.
Alerts
Note: to enable alerts, Mail Details information must be specified.
Use this region to enable administrator alerts as follows:
To send administrator alerts for certificate processing events, check Enable Alerts. To enable other types of alerts, you must check this box and one or both of the following:
To send administrator alerts when the request queue reaches a specified size, check Pending Requests Queue over Threshold. Specify that size (number of certificate requests) in Queue Size Threshold. When you enable this alert, you must also specify the first time the server should check the queue size and how often thereafter, as follows:
In Queue Size Check Start Time, enter the start time using a 24-hour clock time (default is midnight), for example 2 hours 30 minutes for 2:30 in the morning, or 14 hours 30 minutes for 2:30 in the afternoon.
In Interval Between Queue Size Checks, enter the interval (default one day) to be added to that time to specify the time of the next check; it must be nonzero.
Changes survive restarts.
To send administrator alerts if automatic CRL generation fails, check CRL Auto Generation Failure.
Scheduled Jobs
Use this region to schedule timed automatic jobs as follows:
To Enable Automatic Generation of CRL, click the check box next to that label. Specify the first such generation and the intervals thereafter as follows:
In CRL Auto Generation Start Time, enter the start time using a 24-hour clock time (default is midnight), for example 2 hours 30 minutes for 2:30 in the morning, or 14 hours 30 minutes for 2:30 in the afternoon.
In CRL Auto Generation Interval, enter the interval (default one day) to be added to that time to specify the time of the next CRL generation; it must be nonzero.
In CRL Auto Generation Validity, enter the number of days each CRL will be considered valid.
Changes survive restarts.
To enable automatic synchronization with the directory, check Synchronize Directory and specify the start time for the first such synchronization and subsequent intervals as follows:
In Synchronize Directory Start Time, enter the start time using a 24-hour clock time (default is midnight), for example 2 hours 30 minutes for 2:30 in the morning, or 14 hours 30 minutes for 2:30 in the afternoon.
In Synchronize Directory Interval, enter the interval (default one day) to be added to that time to specify the time of the next CRL generation; it must be nonzero.
Changes survive restarts.
Synchronizing with the directory deletes all expired certificates from the directory, and publishes all certificates and CRLs to the directory, which may have failed due to system error, such as the directory being temporarily unavailable.
The buttons at the bottom of the page perform the functions described in the following table:
Button | Description |
---|---|
Revert | Click this button to reset all changed parameters to their previous values. |
Cancel | Click this button to cancel any changes made to this page and refresh the Notification page. |
OK | Click this button to save any changes made to this page. A message confirming that the configuration file was updated appears at the top of the screen. Restart the server as described in Starting and Stopping Oracle Application Server Certificate Authority for the changes to take effect. |
Use the Policy page of the Configuration Management tab to manage policies. Policies displayed on this page apply to the operation shown in the View Policies for list located in the upper left corner. When you select Requests, Renewals, or Revocations from the list, all policies that apply to your chosen operation will display. Each policy's Type, Status, and Description are displayed. A Default Policy is one which ships with OracleAS Certificate Authority; a Custom Policy is one you write yourself. Default policies cannot be deleted (only disabled).
Select a policy to edit, enable, disable, or delete by clicking the radio button to its left and then clicking the desired action on the upper right above the policy list. You can view policies by clicking Edit to display its details. To change the order in which the displayed policies are applied, or to add a new one, click the Reorder or Add buttons.
For detailed information about policies, see Chapter 6.
Changes to the policy configuration do not take effect until you restart the server as described inStarting and Stopping Oracle Application Server Certificate Authority.
To learn more about the policy management tasks you can perform on this page, please see the following pages:
Related Topics
Edit Policies
Enable or Disable Policies
Delete Policies
Generates a new certificate revocation list (CRL). CRLs, defined by the X.509 standard, are signed data structures containing a list of all revoked certificates. Before granting users access, applications use this list to identify whether certificates are valid.
A description of the fields and buttons on this page follows:
Field or Button | Description |
---|---|
CRL Validity | Set the number of days that the new CRL will be valid |
Signature Algorithm | Choose the algorithm used to sign the CRL, for example, SHA1 with RSA or MD5 with RSA. |
Cancel | Exit without making changes |
OK | Update the CRL with all certificates revoked since the last CRL update |
To learn how to revoke a certificate, please see Revoking Certificates.
The tabs in this window help you to navigate around the OracleAS Certificate Authority Administrative pages:
The Home tab returns you to this page.
The Certificate Management tab enables you to approve or reject certificate requests.
The Configuration Management tab enables you to set up notifications, alerts, certificate revocation list generation, logging/tracing, and manage certificate policies.
The View Logs tab enables you to search and view error logs.
Shortcuts for the tabs are located along the page bottom. Click Practice Statement to view your site's certification practice statement, which you can add by editing the ORACLE_HOME/j2ee/oca/applications/ocaapp/oca/helpsets/Help/ocaadmin_cs_practicestmt.html
file (UNIX) or ORACLE_HOME\j2ee\oca\applications\ocaapp\oca\helpsets\Help\ocaadmin_cs_practicestmt.html
(Windows).
Use this page to request a certificate. An administrator who performs certificate management functions must be a certificate holder.Use this page to request a certificate by following these steps:
Enter Distinguished Name Information
The distinguished name (DN) is the location of a user's entry in Oracle Internet Directory. OracleAS Certificate Authority uses the directory entry to store and retrieve the user's certificate. A blue asterisk identifies the fields required under this heading. These are as follows:
Common Name
The name of the OracleAS Certificate Authority administrator
Organization
The company to which the administrator belongs
Enter the Admin Password
Enter the administrator password for OracleAS Certificate Authority.
Enter Certificate Information
The fields under this heading enable you to specify the how strong the certificate key is and how long the certificate is valid. If you are using Internet Explorer, you designate the storage mechanism instead of the key strength.
Certificate Key Size (Netscape Communicator/Mozilla/Safari users)
The length of the private key that will be generated by your browser. Choose a key strength from the available options, typically 512 (low grade), 1024 (medium grade), or 2048 (high grade). Note: Not all options are available on all browsers.
Cryptographic Service Provider (Internet Explorer users)
The type of certificate storage or the key size. Click the drop-down list box to choose one of: Microsoft Base Cryptographic Provider, Microsoft Enhanced Cryptographic Provider, or Microsoft Strong Cryptographic Provider.
Choose a smart card only if you have a corresponding smart card device installed on your system. If, for example, you have a Gemplus smart card reader installed, you may choose Gemplus GemSAFE Card CSP. Please note that this option is not appropriate without that reader.
Validity Period (all browsers)
The length of time the certificate is valid. Click the drop-down list box to choose one of four alternatives.
Click Submit to process your request. Click Reset to start over.
The Approved Certificate Information page appears. It contains detailed information about the certificate.
Click Install in Browser to install the certificate to your browser. Please note that this installation process differs between browsers:
Netscape Communicator/Mozilla
When you click Install in Browser, the certificate is installed with the corresponding CA's certificate. No message appears informing you that the process is complete, although the browser status bar displays "Document:Done."
Internet Explorer
When you click Install in Browser, the certificate is installed with the corresponding CA's certificate. The browser displays the message "Certificate has been imported successfully." After installation, you are asked whether the signer's certificate must be imported. Internet Explorer displays a window that contains details about the CA being imported. Use this window to choose whether to import the signer.
Safari
You cannot install the certificate directly in the browser. Follow these steps to install the certificate:
Go to the web user interface https://hostname:port/oca/user.
Go to User Certificates > Manual Authentication.
Search for the web administrator's certificate using the serial number you noted earlier.
Select the certificate and click View Details.
Copy the BASE64 encoded certificate (not the BASE64 encoded certificate with the CA chain in PKCS#7 format), and save it into a file with the appropriate extension (.pem/.der/.cer
).
Double click the file. The keychain access utility opens up with a pop-up dialog, asking you if you want to import the certificate in the keychain. (Note: Your system will have more than one keychain, but be sure to import it into the default "login" keychain which is in an unlocked state.)
There is a button to view the certificate. View it to verify if it is the web administrator's certificate. Click OK to import the certificate into the keychain.
After installing the administrator's certificate, you should see the Certificate Management and the Configuration Management tabs in the administrative Web interface.
For more detailed enrollment instructions, please see Chapter 4. If you need to change the administrator, then again use Chapter 4 or see the following help topic:
Use this page to search Oracle Application Server Certificate Authority error logs. The Certificate Authority server logs error messages for all components it manages. After you have entered your search criteria, the table displays all messages that match it. Enter your search criteria as follows:
Choose to search by Client Address (IP address) or Message content. To search by message content, enter information such as a DN or username.
Click Go.
The most recent messages that match your search criteria display in the View Logs table ten messages on each page.
Related Topic
Logging and Tracing in Configuration Management -- General
This section lists and describes the windows and fields in the Web user interface.
Use the Advanced screen to narrow or refine your search for certificate requests or existing certificates. The Advanced screen offers the following three search methods:
Search Using Distinguished Name (DN)
Enter the components of the certificate requester's or certificate holder's distinguished name. The Search list enables you to toggle between certificate requesters and certificate holders.
Search Using Advanced Distinguished Name
Choose this option if you know the certificate requester or certificate holder's full DN and understand how to enter it in LDIF format. You need to enter a contiguous DN to get results. For example, "cn=Margarita Redmond,ou=sales,o=yourcorp" is acceptable but "cn=Margarita Redmond,,o=yourcorp" is not. Please note in the following example that spaces between attributes are optional.
cn=Margarita Redmond,ou=sales,o=yourcorp,l=Bismarck,st=SD,c=US
Search Using Serial No./Request ID Range
Choose this option to retrieve information about certificates that fall within a given serial number range. Use the Search list to toggle between requested certificates and existing certificates.
To learn how to search using these methods, see the Advanced Search Screen.
Use the Authentication page to identify yourself to the OracleAS Certificate Authority server. The mode that you choose is dictated by your existing OracleAS credentials. The modes, represented as radio buttons, are as follows:
Use your OracleAS Single Sign-On name and password
Use this option if you are an OracleAS Single Sign-On user and need to obtain or revoke a digital certificate.
Use your existing certificate
Use this option if you have a valid certificate issued by the current OracleAS Certificate Authority. If you have such a certificate, then you can identify yourself to the Certificate Authority using the Secure Sockets Layer (SSL) protocol.
Use manual approval / authentication
Use this option if you are not using OracleAS Single Sign-On or the SSL protocol for identification and need to obtain a digital certificate. The administrator will manually verify your identity before issuing your certificate.
To learn how to perform the tasks introduced on this page, see the following topics:
This page displays the certificate authority (CA) certificate in BASE64 format as well as the "BASE64-Encoded Certificate with CA certificate chain in PKCS#7 format". You can copy and paste the encoded CA certificate into Oracle Wallet Manager when using that tool to create a PKCS#10 certificate request. You must use this method to request a server certificate or a subordinate CA certificate.
Use this screen to install the certificate authority (CA) certificate into your browser. To see the CA certificate in BASE64 or PKCS #7 encoding, click Advanced. To install the CA certificate into your browser, click Install in Browser. If the current CA is a subordinate CA, its ancestor CA certificates will also be present. You can use this form to import the CA certificates into Oracle Wallet Manager (OWM). The PKCS #7 encoding contains the whole certificate chain.
This page also displays the following CA certificate details:
Field | Description |
---|---|
Status | VALID indicates that the certificate can still be trusted. This is the only value that will appear here.
|
Serial Number | The number used to reference the certificate. |
Signature Algorithm | The algorithm used, which is indicated by the object identification number (OID). |
Usage | The certificate's function. In the case of a CA certificate, these values are always "Certificate Signing" and "CRL Signing." |
Issuing Authority | The CA that issued the certificate. If the root CA issued the certificate, the requester and the issuer are the same. |
Subject DN | Distinguished name of the certificate holder. |
Not Valid Before | Date and time certificate became valid. |
Not Valid After | Date and time certificate expires. |
Related Topic
Use this page to view details about your new certificate and to install it to your browser (by clicking Install in Browser). Clicking OK again after you install the certificate returns you to the User Certificates page. The new certificate appears on the Certificates bar of this page. The Certificate Approval page has the following fields:
Field | Description |
---|---|
Status | This value is always VALID .
|
Serial Number | This is the certificate's serial number. |
Signature Algorithm | The algorithm used, which is indicated by the object identification number (OID). |
Usage | The certificate function. |
Issuing Authority | The CA that issued the certificate. |
Subject DN | Distinguished name of the certificate holder. |
Not Valid Before | Data and time certificate became valid. |
Not Valid After | Date and time certificate expires. |
Choose one of the buttons located at the bottom of the page to perform your desired task:
Button Name | Function Description |
---|---|
OK | Returns you to the main page of the User Certificates tab. |
Install in Browser | Installs the certificate into your browser. |
Save to Disk | Saves the certificate to a file on your local system. |
Use this page to obtain a complete description of a certificate, including its BASE64 encoding. The non-modifiable fields on this page are as follows:
Field | Description |
---|---|
Status | This value is VALID, REVOKED , or EXPIRED
|
Serial Number | This is the certificate's serial number assigned by OracleAS Certificate Authority. |
Signature Algorithm | The object identification number (OID) representing the algorithm used, such as MD5 with RSA encryption. |
Usage | The certificate function. |
Issuing Authority | The CA that issued the certificate. |
Subject DN | Distinguished name of the certificate holder. |
Not Valid Before | Data and time certificate became valid. |
Not Valid After | Date and time certificate expires. |
BASE64 Encoded Certificate | The encoded certificate. |
BASE64-Encoded Certificate with CA certificate chain in PKCS#7 format | The encoded certificate plus its tree of trusted authorities, in PKCS#7 format. This form allows a single operation to transport all certificates in the trusted chain up through the root CA certificate. |
Choose one of the buttons located at the bottom of the page to perform your desired task:
Button Name | Function Description |
---|---|
OK | Returns you to the main page of the User Certificates tab. |
Revoke | Revokes the certificate. You must specify a revocation reason. |
Renew | Renews the certificate. You must specify a new validity period. |
Install in Browser | Installs the certificate into your browser. |
Use this form to request a certificate manually. The Certificate Request form has the following headings:
Distinguished Name Information
The distinguished name (DN) is the location of a user's entry in Oracle Internet Directory. OracleAS Certificate Authority uses the directory entry to store and retrieve the user's certificate. A blue asterisk identifies the fields required under this heading. These are as follows:
Common Name
The name of the certificate requester
Organization
The company to which the certificate requester belongs
Contact Information
The certificate requester's name, e-mail address, and phone number. Please note that the Name field and either the E-Mail ID or the Phone No. field require input.
Certificate Information
Use the fields under this heading to specify the certificate key size or storage mechanism, the certificate function, and the certificate's life span. A description of these fields follows.
Certificate Key Size (for Netscape Communicator/Mozilla/Safari users)
The length of the private key that will be generated by your browser. Choose a key strength from the available options, typically 512 (low grade), 1024 (medium grade), or 2048 (high grade). Note: Not all options are available on all browsers.
Cryptographic Service Provider (for Internet Explorer users)
The type of certificate storage. Click the list to choose one of several storage methods, which determines the key strength. Choose between Microsoft Base Cryptographic Provider, Microsoft Enhanced Cryptographic Provider, and Microsoft Strong Cryptographic Provider. Choose a smart card only if you have a corresponding smart card device installed on your system. If, for example, you have a Gemplus smart card reader installed, you may choose Gemplus GemSAFE Card CSP. Please note that this option is not appropriate without that reader.
Certificate Usage (for all browser types)
The function of the certificate. Choose a usage that fits your intended applications and your enterprise policies; if unsure, choose "Authentication, Encryption, and Signing." (The default for your site is preselected.) The following list shows your possible choices:
Function | Description |
---|---|
Authentication | Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.) |
Encryption | Enables encrypting and decrypting electronic documents. |
Signing | Enables verifiable signature for (and assures non-tampering of) electronic documents, including e-mail (using S/MIME, the Secure Multipurpose Internet Mail Extension) |
Authentication, Encryption | Certificate can be used for both purposes. |
Authentication, Signing | Certificate can be used for both purposes. |
Authentication, Encryption, and Signing | Certificate can be used for all three purposes. |
Encryption, Signing | Certificate can be used for both purposes. |
CA Signing | Enables requesting subordinate CA certificates |
Code Signing | Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files. |
Validity Period (for users of all browser types)
The length of time the certificate is valid. Click the list to choose one of four alternatives. A certificate is valid up to 10 years.
Related Topic
Certificate Request Form (Manual Request)
This page displays the current certificate revocation list. It indicates when the list was last updated. The list shows the serial number and revocation date for each revoked certificate.
Use the buttons on this page to install the CRL into your browser or to save it either as a binary file or as a BASE64-encoded text file. (BASE64 encoding text files make it easier to copy, paste, or e-mail the information.)
After installing or saving the CRL as you choose, click OK to return to the User Certificates page.
Use this page to choose a revocation reason. Here is a description of the available options.
Revocation Reason | Description |
---|---|
Key Compromise | The user's private key has been lost or has been exposed. |
Affiliation Change | The organization has decided to use a different root CA. |
CA Compromise | The CA has been replaced by a sub-CA or the CA certificate has been compromised. |
Certificate Hold | The certificate is temporarily suspended. |
Cessation of Operation | The existing root CA has ceased operations. A new root CA is required. |
Remove from CRL | The certificate has been removed from the certificate revocation list (CRL). |
Superseded | The root CA's certificate has been replaced. The old certificate must be removed and the new one installed |
Unspecified | No reason available or provided. |
To learn how to revoke a certificate, please see Revoking Certificates.
Use this form to request a certificate if you know your full distinguished name (DN)--if it already exists--and understand how to enter it in LDIF format. This feature is a shortcut for the Distinguished Name Information heading on the standard Certificate Request form, where it appears as the link Advanced DN. The Advanced form supports the same DN components that the standard form supports. The DN is the location of your user entry in Oracle Internet Directory. OracleAS Certificate Authority stores your certificate in and retrieves it from your directory entry.
Related Topic
Certificate Request Form (Manual Request)
Use this page to search for and display information about certificates and certificate requests, or to request a new server or SubCA certificate. Clicking Request a Certificate brings up the Server/SubCA Certificates form for you to fill in.
When a search you specified brings up a list of certificates or certificate requests, you can see more details for a particular entry by clicking its Select button (far left) and then clicking View Details. To show search results beyond the first 25, you can click Next 25 or click in the drop-down list to select the range you wish to display.
Related Topics
The functions you can select using the buttons on the Server/SubCA Certificates page are explained at the following links:
Use this form to request a certificate for a Web server or a subordinate certificate authority. The Server/SubCA Certificate Request form has the following headings:
Certificate Request
You request a certificate by using the openSSL reqtool or Oracle Wallet Manager to generate a certificate in PKCS#10 encoding in BASE64 format. Then paste the encoded certificate request in the PKCS#10 Request field
Contact Information
The certificate requester's name, e-mail address, and phone number. Note that the Name field and either the E-Mail ID or the Phone No. field require input.
Certificate Information
Use the fields under this heading to specify the certificate function and life span. A description of these fields follows.
Certificate Usage
The function of the certificate. Choose a usage that fits your intended applications and your enterprise policies; if unsure, choose "Authentication, Encryption, and Signing." (The default for your site is preselected.) The following list shows your possible choices:
Function | Description |
---|---|
Authentication | Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.) |
Encryption | Enables encrypting and decrypting electronic documents. |
Signing | Enables verifiable signature for (and assures non-tampering of) electronic documents, including e-mail (using S/MIME, the Secure Multipurpose Internet Mail Extension) |
Authentication, Encryption | Certificate can be used for both purposes. |
Authentication, Signing | Certificate can be used for both purposes. |
Authentication, Encryption, and Signing | Certificate can be used for all three purposes. |
Encryption, Signing | Certificate can be used for both purposes. |
CA Signing | Enables requesting subordinate CA certificates |
Code Signing | Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files. |
Validity Period
The length of time the certificate is valid. Click the list to choose 6 months, one year, or five years for the validity period.
Related Topic
Use this form if you already have a certificate and want to request another one--either because you want a different key size or storage mechanism or because you want to use the certificate for a different purpose. This form has the following headings and fields:
Distinguished Name Information
The User DN field under the Distinguished Name Information heading, displays the DN under which the first certificate was assigned. You cannot modify this field.
Certificate Information
Use the fields under this heading to specify the certificate key size or storage mechanism, the certificate function, and the certificate's life span. A description of these fields follows.
Certificate Key Size (Netscape Communicator/Mozilla/Safari users)
The length of the private key that will be generated by your browser. Choose a key strength from the available options, typically 512 (low grade), 1024 (medium grade), or 2048 (high grade). Note: Not all options are available on all browsers.
Cryptographic Service Provider (Internet Explorer users)
The type of certificate storage or the key size. Click the drop-down list box to choose one of: Microsoft Base Cryptographic Provider, Microsoft Enhanced Cryptographic Provider, or Microsoft Strong Cryptographic Provider. Choose a smart card only if you have a corresponding smart card device installed on your system. If, for example, you have a Gemplus smart card reader installed, you may choose Gemplus GemSAFE Card CSP. Please note that this option is not appropriate without that reader.
Certificate Usage (users of all browser types)
The function of the certificate. Choose a usage that fits your intended applications and your enterprise policies; if unsure, choose "Authentication, Encryption, and Signing." (The default for your site is preselected.) The following list shows your possible choices:
Function | Description |
---|---|
Authentication | Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.) |
Encryption | Enables encrypting and decrypting electronic documents. |
Signing | Enables verifiable signature for (and assures non-tampering of) electronic documents, including e-mail (using S/MIME, the Secure Multipurpose Internet Mail Extension) |
Authentication, Encryption | Certificate can be used for both purposes. |
Authentication, Signing | Certificate can be used for both purposes. |
Authentication, Encryption, and Signing | Certificate can be used for all three purposes. |
Encryption, Signing | Certificate can be used for both purposes. |
CA Signing | Enables requesting subordinate CA certificates |
Code Signing | Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files. |
Related Topic
Use this form if you have been authenticated by an OracleAS Single Sign-On server and want to request a new certificate or an additional one. The SSO Certificate Request form has the following headings and fields:
Distinguished Name Information
The User DN field under the Distinguished Name Information heading, displays the DN under which your certificates are issued. You cannot modify this field.
Certificate Information
Use the fields under this heading to specify the certificate key size or storage mechanism, the certificate function, and the certificate's life span. A description of these fields follows.
Certificate Key Size (Netscape Communicator/Mozilla/Safari users)
The length of the private key that will be generated by your browser. Choose a key strength from the available options, typically 512 (low grade), 1024 (medium grade), or 2048 (high grade). Note: Not all options are available on all browsers.
Cryptographic Service Provider (Internet Explorer users)
The type of certificate storage or the key size. Click the drop-down list box to choose one of: Microsoft Base Cryptographic Provider, Microsoft Enhanced Cryptographic Provider, or Microsoft Strong Cryptographic Provider. Choose a smart card only if you have a corresponding smart card device installed on your system. If, for example, you have a Gemplus smart card reader installed, you may choose Gemplus GemSAFE Card CSP. Please note that this option is not appropriate without that reader.
Certificate Usage (users of both browser types)
The function of the certificate. Choose a usage that fits your intended applications and your enterprise policies; if unsure, choose "Authentication, Encryption, and Signing." (The default for your site is preselected.) The following list shows your possible choices:
Function | Description |
---|---|
Authentication | Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.) |
Encryption | Enables encrypting and decrypting electronic documents. |
Signing | Enables verifiable signature for (and assures non-tampering of) electronic documents, including e-mail (using S/MIME, the Secure Multipurpose Internet Mail Extension) |
Authentication, Encryption | Certificate can be used for both purposes. |
Authentication, Signing | Certificate can be used for both purposes. |
Authentication, Encryption, and Signing | Certificate can be used for all three purposes. |
Encryption, Signing | Certificate can be used for both purposes. |
CA Signing | Enables requesting subordinate CA certificates |
Code Signing | Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files. |
Related Topic
To learn how to use your single sign-on user name and password to request a certificate, see
You can use the Request a Certificate button on this page to request a certificate. This page also has buttons that enable you to save the Certificate Authority's (CA) certificate or Certificate Revocation List (CRL). In addition, you can change the authentication mode that you use to request a certificate. Clicking Change Authentication returns you to the Authentication page, where you can make another choice.
After you have submitted your certificate request, you can use search features on the User Certificates - Manual Authentication page to check the status of your request.
Related Topics
If you gained access to OracleAS Certificate Authority with an existing certificate, then you can use the Get Certificate button on this page to add a certificate. The form also has buttons that enable you to save a certificate revocation list (CRL) or change the authentication mode that you use to request a certificate. Clicking Change Authentication returns you to the Authentication page where you can make the change.
All of your valid certificates are displayed in the master table under the Certificates bar. Each row contains information about a particular certificate, including serial number, life span and usage type. Click the button in the far left column of a row to view additional details about a certificate or to revoke it. You should revoke your certificate if your private key is lost, corrupted, or stolen.
Related Topics
Certificate Request Form - SSL Authentication to learn how to use an existing certificate to add a certificate
Certificate Revocation List to learn how to save a CRL
Use the Get Certificate button on this page to request or add a new certificate. This page also has buttons that enable you to save the Certificate Revocation List (CRL) or change the authentication mode that you use to request a certificate. Clicking Change Authentication returns you to the Authentication page, where you can make your choice.
All of your valid certificates are displayed in the master table under the Certificates bar. Each row contains information about a particular certificate, including serial number, life span and usage type. To view additional details about a certificate, or to revoke it, click the button in the Select column of that certificate's row and then click View Details. You should revoke your certificate if your private key is lost, corrupted, or stolen.
Related Topics
SSO Certificate Request Form to learn how to use your single sign-on user name and password to request a certificate
Certificate Revocation List to learn how to save a CRL
The user pages for Oracle Certificate Authority possess features that enable you to request, view, and revoke X.509 certificates and to save certificate revocation lists. Use the Authentication page to access these tabs. The tabs in this window help you to navigate around the Oracle Certificate Authority user pages:
The Home tab returns you to this page.
The User Certificates tab enables you to view and revoke your certificates, create certificate requests, change your authentication method, and save certificate revocation lists.
The Server/SubCA tab enables you to search for certificates and certificate requests by using the Server/SubCA Certificate form. You can also use this form to request PKCS#10-encoded certificates for Web servers or subordinate certificate authorities, and to save or install certificate authority certificates from Oracle Certificate Authority.
The View Logs tab enables you to search error, warning, and audit logs.
This page also enables you to do any combination of the following four tasks:
Install the certificate authority certificate into your browser:
In Netscape, the New Certificate Authority dialog box appears:
Click through the dialog boxes, which help you decide whether to accept the certificate. In the last one, to accept the certificate, click Finish; to reject the certificate or to postpone acceptance, click Cancel.
In Internet Explorer, a warning dialog box tells you the file's name, type, and source, and asks if you want to open or save it. Click Save and choose a file system destination.
In Safari, the certificate cannot be imported into the browser directly. Follow the instructions in Save the certificate authority certificate to your file system to install the certificate.
Install certificate revocation lists into your browser:
In Netscape, installing the CRL into your browser brings up a dialog box stating that the CRL was successfully imported It also tells you who issued it, when the next update is, and offers to enable automatic CRL generation if you say so. (If you do, you can specify when and how often the update occurs.)
In Internet Explorer, a warning dialog box tells you the file's name, type, and source, and asks if you want to open or save it. Click Save and choose a file system destination.
Save the certificate authority certificate to your file system:
In Netscape, saving the certificate authority certificate to your file system brings up a dialog box asking what to do with this file (OCABase64.cert). Ensure that Save it to disk is selected, and then click OK. In the "save" dialog that appears, select where you want to store it and click Save.
In Internet Explorer, a warning dialog box tells you the file's name, type, and source, and asks if you want to open or save it. Click Save and choose a file system destination.
In Safari, a page appears which shows the BASE64 encoded certificate of the Certificate Authority. Copy it and paste it into a .der/.pem/.cer
file. Double click the file. The keychain access utility opens up with a pop-up dialog, asking you if you want to import the certificate in the keychain. (Note: Your system will have more than one keychain, but be sure to import it into the default "login" keychain which is in an unlocked state.)
Save certificate revocation list to your file system:
In Netscape, saving the Certificate Revocation List to your file system brings up a dialog box asking what to do with this file (OCAcrlBase64.txt). Ensure that Save it to disk is selected, and then click OK. In the "save" dialog that appears, select where you want to store it and click Save.
In Internet Explorer, a warning dialog box tells you the file's name, type, and source, and asks if you want to open or save it. Click Save and choose a file system destination.