Re: Renewing an SSL certificate in Advanced Security

I found the Metalink document that describes the "official" way to renew a certificate (303299.1). Basically you export a CSR for your existing certificate, get it signed, delete the old certificate (which leaves the CSR behind), and import the new certificate. Of course, this all requires OWM, as orapki doesn't provide a way to remove certificates. Obviously this would be an inconvenience if X wasn't installed on the server.

I've submitted an SR, so we'll see what Oracle says.

On 12/14/07, mkb <mkb125_at_yahoo.com> wrote:
>
> ----- Original Message ----
> From: Jason Heinrich <jheinrichdba_at_gmail.com>
> To: mkb <mkb125_at_yahoo.com>
> Cc: oracle-l <oracle-l_at_freelists.org>
> Sent: Friday, December 14, 2007 5:17:55 PM
> Subject: Re: Renewing an SSL certificate in Advanced Security
>
> Yes, I have the initial certificate installed via orapki, and SSL works
> beautifully. It's obtaining a new certificate when the original expires
> that I'm having trouble with. I tried the process with OWM as you
> suggested, and that seemed to work. It seems that orapki was something of
> an afterthought to Oracle. It's too bad: I really wanted to script the
> whole process, but this is the second activity I've run into that requires
> OWM (the first was removing unused trusted certificates). Unless, as Amir
> suggested, I create a new wallet and replace the old one.
>
> On 12/14/07, mkb <mkb125_at_yahoo.com> wrote:
> >
> > I'm not sure I quite follow. I assume you generated a certificate
> > request (something like this perhaps? orapki wallet add -wallet
> > wallet_location -dn user_dn -keySize 512|1024|2048)
> >
> > Then you exported the certificate request and got it signed from your
> > CA, right?
> >
> > You should have gotten back a root certificate from your CA and a signed
> > user certificate. The root cert would have been imported into the wallet
> > with something like this:
> > orapki wallet add -wallet . -trusted_cert -cert cacert.pem
> >
> > The signed user certificate would have been imported into the wallet
> > using something like this:
> > orapki wallet add -wallet . -user_cert -cert newcert.pem
> >
> > If you want to create a new signed user certificate, you will need to
> > create a user certificate request, export the request and then submit it to
> > the CA and get it signed. Once it is signed, you only need to import the
> > user signed certificate and not the root chain (assuming you got it signed
> > from the same CA).
> >
> > I think I had some problems with the orapki utility when trying to
> > import certs but when I used the GUI it seemed to work fine. You might try
> > using the GUI first (owm) and see if that solves the problem.
> >
> > --
> > mohammed
> >
> >
> > You then created a certificate request
> >
> > ------------------------------
> > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
> > it now.<http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ+>
> >
>
> Ok, so that basically confirms it for me also that the orapki utility is
> half-baked. I also was going in the same direction that you were (wanting
> it to script it out), but I guess that's not going to be the case until
> Oracle fixes it.
>
> Time to open a ticket on this one I suppose.
>
> --
> mohammed
>
> ------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it
> now.<http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ+>
>

-- 
Jason Heinrich

--
http://www.freelists.org/webpage/oracle-l