Multiple Certificate Support

Oracle Wallet Manager enables you to store multiple certificates in each wallet, supporting any of the following Oracle PKI certificate usages:

  • SSL authentication

  • S/MIME signature

  • S/MIME encryption

  • Code-Signing

  • CA Certificate Signing

Each certificate request you create generates a unique private/public key pair. The private key stays in the wallet and the public key is sent with the request to a certificate authority. When that certificate authority generates your certificate and signs it, you can import it only into the wallet that has the corresponding private key.

If the wallet also contains a separate certificate request, the private/public key pair corresponding to that request is of course different from the pair for the first certificate request. Sending this separate certificate request to a certificate authority can get you a separate signed certificate, which you can import into this same wallet

A single certificate request can be sent to a certificate authority multiple times to obtain multiple certificates. However, only one certificate corresponding to that certificate request can be installed in the wallet.

Oracle Wallet Manager uses the X.509 Version 3 KeyUsage extension to define Oracle PKI certificate usages (Table 6-1). A single certificate cannot be applied to all possible certificate usages. Table 6-2 and Table 6-3 show legal usage combinations.

Table 6-1 KeyUsage Values

Value Usage

0

digitalSignature

1

nonRepudiation

2

keyEncipherment

3

dataEncipherment

4

keyAgreement

5

keyCertSign

6

cRLSign

7

encipherOnly

8

decipherOnly

When installing a certificate, Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 6-2 and Table 6-3.

Table 6-2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet

KeyUsage Value Critical?(1) Usage

none

NA

Certificate is importable for SSL or S/MIME encryption use.

0 alone or along with any values excluding 5 and 2

NA

Accept certificate for S/MIME signature or code-signing use.

1 alone

Yes

Not importable

1 alone

No

Accept certificate for S/MIME signature or code-signing use.

2 alone or along with any combination excluding 5

NA

Accept certificate for SSL or S/MIME encryption use.

5 alone or along with any other values

NA

Accept certificate for CA certificate signing use.

Any settings not listed previously

Yes

Not importable.

Any settings not listed previously

No

Certificate is importable for SSL or S/MIME encryption use.

Table 6-3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet

KeyUsage Value Critical?(2) Usage

none

NA

Importable.

Any combination excluding 5

Yes

Not importable.

Any combination excluding 5

No

Importable

5 alone or along with any other values

NA

Importable.

You should obtain, from the certificate authority, certificates with the correct KeyUsage value matching your required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Table 6-2 and Table 6-3. Oracle PKI applications use the first certificate containing the required PKI certificate usage.

For example, for SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.

If you do not have a certificate with SSL usage, then an ORA-28885 error (No certificate with required key usage found) is returned.

1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.
2 If the KeyUsage extension is marked critical, the certificate cannot be used for other purposes.