SSL certificate for Oracle Application Server 11g

Posted by Easter Sunshine on Server Fault See other posts from Server Fault or by Easter Sunshine
Published on 2012-11-21T16:43:17Z Indexed on 2012/11/21 17:01 UTC
Read the original article Hit count: 323

Filed under:
|
|
|
|

I was asked to get an SSL certificate for an "Oracle Application Server 11g" which has a soon-to-expire certificate. Brushing aside the fact that 10g seems to be the newest version, I got a certificate from InCommon, as I usually do without problem (except this is the first time I supplied Oracle Application Server 11g as the software type on the CSR form). On the email containing links to download the certificate, it mentioned:

Certificate Details:

SSL Type : InCommon SSL

Server : OTHER

I forwarded the email over to the person responsible for installing it and got a reply that the server type must be Oracle Application Server for the certificate to work (the CN is the same as before). They were unable to install this certificate (no details provided to me) and mentioned they had this issue previously with Thawte when they didn't supply Oracle Application Server as the server type. I don't see any significant difference between the currently installed certificate (working) and the new one I just got signed by InCommon (not working).

$ openssl x509 -in sso-current.cer -text

shows, with irrelevant information ommitted.

Data:
    Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/[email protected]
    Validity
        Not Before: Oct  1 00:00:00 2009 GMT
        Not After : Nov 28 23:59:59 2012 GMT
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.thawte.com/ThawteServerPremiumCA.crl

        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        Authority Information Access: 
            OCSP - URI:http://ocsp.thawte.com

Signature Algorithm: sha1WithRSAEncryption

and

$ openssl x509 -in sso-new.cer -text

shows

Data:
    Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
    Validity
        Not Before: Nov  8 00:00:00 2012 GMT
        Not After : Nov  8 23:59:59 2014 GMT
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Authority Key Identifier: 
            keyid:48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D

        X509v3 Subject Key Identifier: 
            18:8D:F6:F5:87:4D:C4:08:7B:2B:3F:02:A1:C7:AC:6D:A7:90:93:02
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.5923.1.4.3.1.1
              CPS: https://www.incommon.org/cert/repository/cps_ssl.pdf

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.incommon.org/InCommonServerCA.crl

        Authority Information Access: 
            CA Issuers - URI:http://cert.incommon.org/InCommonServerCA.crt
            OCSP - URI:http://ocsp.incommon.org

Nothing jumps out at me as the reason one would not work so I don't have a specific request for the signer for what to do differently when re-signing.

© Server Fault or respective owner

Related posts about ssl

Related posts about https