Return-Path: Delivered-To: 2-oracle-l@orafaq.com Received: (qmail 3183 invoked from network); 17 Dec 2007 13:58:58 -0600 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by static-ip-69-64-49-119.inaddr.intergenia.de with SMTP; 17 Dec 2007 13:58:54 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id D70667DAA93; Mon, 17 Dec 2007 14:58:48 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26377-01; Mon, 17 Dec 2007 14:58:48 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 474427DA9B8; Mon, 17 Dec 2007 14:58:48 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Mon, 17 Dec 2007 14:11:23 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 80F197DAA97 for ; Mon, 17 Dec 2007 14:11:23 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19021-02 for ; Mon, 17 Dec 2007 14:11:23 -0500 (EST) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.238]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 64D167DAB75 for ; Mon, 17 Dec 2007 14:11:20 -0500 (EST) Received: by wr-out-0506.google.com with SMTP id c49so1341039wra.1 for ; Mon, 17 Dec 2007 11:11:20 -0800 (PST) Received: by 10.142.52.9 with SMTP id z9mr938389wfz.134.1197918678067; Mon, 17 Dec 2007 11:11:18 -0800 (PST) Received: by 10.142.81.20 with HTTP; Mon, 17 Dec 2007 11:11:18 -0800 (PST) Message-ID: Date: Mon, 17 Dec 2007 13:11:18 -0600 From: "Jason Heinrich" To: mkb , "Hameed, Amir" Subject: Re: Renewing an SSL certificate in Advanced Security Cc: oracle-l In-Reply-To: <500554.83063.qm@web58007.mail.re3.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_14383_3097700.1197918678044" References: <500554.83063.qm@web58007.mail.re3.yahoo.com> X-Google-Sender-Auth: b76ee615f1b24f15 X-archive-position: 3981 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: jheinrichdba@gmail.com Precedence: normal Reply-to: jheinrichdba@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l X-Virus-Scanned: Debian amavisd-new at localhost.localdomain ------=_Part_14383_3097700.1197918678044 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I found the Metalink document that describes the "official" way to renew a certificate (303299.1). Basically you export a CSR for your existing certificate, get it signed, delete the old certificate (which leaves the CSR behind), and import the new certificate. Of course, this all requires OWM, as orapki doesn't provide a way to remove certificates. Obviously this would be an inconvenience if X wasn't installed on the server. I've submitted an SR, so we'll see what Oracle says. On 12/14/07, mkb wrote: > > ----- Original Message ---- > From: Jason Heinrich > To: mkb > Cc: oracle-l > Sent: Friday, December 14, 2007 5:17:55 PM > Subject: Re: Renewing an SSL certificate in Advanced Security > > Yes, I have the initial certificate installed via orapki, and SSL works > beautifully. It's obtaining a new certificate when the original expires > that I'm having trouble with. I tried the process with OWM as you > suggested, and that seemed to work. It seems that orapki was something of > an afterthought to Oracle. It's too bad: I really wanted to script the > whole process, but this is the second activity I've run into that requires > OWM (the first was removing unused trusted certificates). Unless, as Amir > suggested, I create a new wallet and replace the old one. > > On 12/14/07, mkb wrote: > > > > I'm not sure I quite follow. I assume you generated a certificate > > request (something like this perhaps? orapki wallet add -wallet > > wallet_location -dn user_dn -keySize 512|1024|2048) > > > > Then you exported the certificate request and got it signed from your > > CA, right? > > > > You should have gotten back a root certificate from your CA and a signed > > user certificate. The root cert would have been imported into the wallet > > with something like this: > > orapki wallet add -wallet . -trusted_cert -cert cacert.pem > > > > The signed user certificate would have been imported into the wallet > > using something like this: > > orapki wallet add -wallet . -user_cert -cert newcert.pem > > > > If you want to create a new signed user certificate, you will need to > > create a user certificate request, export the request and then submit it to > > the CA and get it signed. Once it is signed, you only need to import the > > user signed certificate and not the root chain (assuming you got it signed > > from the same CA). > > > > I think I had some problems with the orapki utility when trying to > > import certs but when I used the GUI it seemed to work fine. You might try > > using the GUI first (owm) and see if that solves the problem. > > > > -- > > mohammed > > > > > > You then created a certificate request > > > > ------------------------------ > > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try > > it now. > > > > Ok, so that basically confirms it for me also that the orapki utility is > half-baked. I also was going in the same direction that you were (wanting > it to script it out), but I guess that's not going to be the case until > Oracle fixes it. > > Time to open a ticket on this one I suppose. > > -- > mohammed > > ------------------------------ > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it > now. > -- Jason Heinrich ------=_Part_14383_3097700.1197918678044 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I found the Metalink document that describes the "official" way to renew a certificate (303299.1).  Basically you export a CSR for your existing certificate, get it signed, delete the old certificate (which leaves the CSR behind), and import the new certificate.  Of course, this all requires OWM, as orapki doesn't provide a way to remove certificates.  Obviously this would be an inconvenience if X wasn't installed on the server.

I've submitted an SR, so we'll see what Oracle says.

On 12/14/07, mkb <mkb125@yahoo.com > wrote:
----- Original Message ----
From: Jason Heinrich < jheinrichdba@gmail.com>
To: mkb < mkb125@yahoo.com>
Cc: oracle-l <oracle-l@freelists.org>
Sent: Friday, December 14, 2007 5:17:55 PM
Subject: Re: Renewing an SSL certificate in Advanced Security

Yes, I have the initial certificate installed via orapki, and SSL works beautifully.  It's obtaining a new certificate when the original expires that I'm having trouble with.  I tried the process with OWM as you suggested, and that seemed to work.  It seems that orapki was something of an afterthought to Oracle.  It's too bad: I really wanted to script the whole process, but this is the second activity I've run into that requires OWM (the first was removing unused trusted certificates).  Unless, as Amir suggested, I create a new wallet and replace the old one.

On 12/14/07, mkb <mkb125@yahoo.com > wrote:
I'm not sure I quite follow.  I assume you generated a certificate request (something like this perhaps? orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048)

Then you exported the certificate request and got it signed from your CA, right?

You should have gotten back a root certificate from your CA and a signed user certificate.  The root cert would have been imported into the wallet with something like this:
orapki wallet add -wallet . -trusted_cert -cert cacert.pem

The signed user certificate would have been imported into the wallet using something like this:
orapki wallet add -wallet . -user_cert -cert newcert.pem

If you want to create a new signed user certificate, you will need to create a user certificate request, export the request and then submit it to the CA and get it signed.  Once it is signed, you only need to import the user signed certificate and not the root chain (assuming you got it signed from the same CA). 

I think I had some problems with the orapki utility when trying to import certs but when I used the GUI it seemed to work fine.  You might try using the GUI first (owm) and see if that solves the problem.

--
mohammed


You then created a certificate request

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

Ok, so that basically confirms it for me also that the orapki utility is half-baked.  I also was going in the same direction that you were (wanting it to script it out), but I guess that's not going to be the case until Oracle fixes it.

Time to open a ticket on this one I suppose.

--
mohammed

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.



--
Jason Heinrich ------=_Part_14383_3097700.1197918678044-- -- http://www.freelists.org/webpage/oracle-l