Skip Headers

Oracle® Database Advanced Security Administrator's Guide
10g Release 1 (10.1)

Part Number B10772-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

E
orapki Utility

The orapki utility is provided to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. Providing a way to incorporate the management of PKI elements into scripts makes it possible to automate many of the routine tasks of maintaining a PKI.

The following topics are included in this appendix:

orapki Utility Overview

This command line utility can be used to perform the following tasks:

orapki Utility Syntax

The basic syntax of the orapki command line utility is as follows:

orapki module command -parameter <value>

where module can be wallet (Oracle wallet), crl (certificate revocation list), or cert (PKI digital certificate). The available commands depend on the module you are using. For example, if you are working with a wallet, then you can add a certificate or a key to the wallet with the add command. The following example adds the user certificate located at /private/lhale/cert.txt to the wallet located at $ORACLE_HOME/wallet/ewallet.p12:

orapki wallet add -wallet $ORACLE_HOME/wallet/ewallet.p12 -user_cert -cert 
/private/lhale/cert.txt

Creating Signed Certificates for Testing Purposes

This command line utility provides a convenient, lightweight way to create signed certificates for testing purposes. The following syntax can be used to create signed certificates and to view certificates:

To create a signed certificate for testing purposes:
orapki cert create [-wallet <wallet_location>] -request <certificate_request_
location> -cert <certificate_location> -validity <number_of_days> [-summary]

This command creates a signed certificate from the certificate request. The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request. The -validity parameter specifies the number of days, starting from the current date, that this certificate will be valid. Specifying a certificate and certificate request is mandatory for this command.

To view a certificate:
orapki cert display -cert <certificate_location> [-summary | -complete]

This command enables you to view a test certificate that you have created with orapki. You can choose either -summary or -complete, which determines how much detail the command will display. If you choose -summary, the command will display the certificate and its expiration date. If you choose -complete, it will display additional certificate information, including the serial number and public key.

Managing Oracle Wallets with orapki Utility

The following sections describe the syntax used to create and manage Oracle wallets with the orapki command line utility. You can use these orapki utility wallet module commands in scripts to automate the wallet creation process.

Creating and Viewing Oracle Wallets with orapki

To create an Oracle wallet:
orapki wallet create -wallet <wallet_location>

This command will prompt you to enter and re-enter a wallet password. It creates a wallet in the location specified for -wallet.

To create an Oracle wallet with auto login enabled:
orapki wallet create -wallet <wallet_location> -auto_login

This command creates a wallet with auto login enabled, or it can also be used to enable auto login on an existing wallet. If the wallet_location already contains a wallet, then auto login will be enabled for it. To turn the auto login feature off, use Oracle Wallet Manager. See "Using Auto Login" for details.


Note:

For wallets with the auto login feature enabled, you are prompted for a password only for operations that modify the wallet, such as add.


To view an Oracle wallet:
orapki wallet display -wallet <wallet_location>

Displays the certificate requests, user certificates, and trusted certificates contained in the wallet.

Adding Certificates and Certificate Requests to Oracle Wallets with orapki

To add a certificate request to an Oracle wallet:
orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize 
<512|1024|2048>

This command adds a certificate request to a wallet for the user with the specified distinguished name (user_dn). The request also specifies the requested certificate's key size (512, 1024, or 2048 bits). To sign the request, export it with the export option. See "Exporting Certificates and Certificate Requests from Oracle Wallets with orapki"

To add a trusted certificate to an Oracle wallet:
orapki wallet add -wallet <wallet_location> -trusted_cert -cert <certificate_
location>

This command adds a trusted certificate, at the specified location (-cert <certificate_location>), to a wallet. You must add all trusted certificates in the certificate chain of a user certificate before adding a user certificate, or the command to add the user certificate will fail.

To add a root certificate to an Oracle wallet
orapki wallet add -wallet <wallet_location> -dn <certificate_dn> -keySize 
<512|1024|2048> -self_signed -validity <number_of_days>

This command creates a new self-signed (root) certificate and adds it to the wallet. The -validity parameter (mandatory) specifies the number of days, starting from the current date, that this certificate will be valid. You can specify a key size for this root certificate (-keySize) of 512, 1024, or 2048 bits.

To add a user certificate to an Oracle wallet:
orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_
location>

This command adds the user certificate at the location specified with the -cert parameter to the Oracle wallet at the <wallet_location>. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail.

Exporting Certificates and Certificate Requests from Oracle Wallets with orapki

To export a certificate from an Oracle wallet:
orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert 
<certificate_filename>

This command exports a certificate with the subject's distinguished name (-dn) from a wallet to a file that is specified by -cert.

To export a certificate request from an Oracle wallet:
orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> 
-request <certificate_request_filename>

This command exports a certificate request with the subject's distinguished name (-dn) from a wallet to a file that is specified by -request.

Managing Certificate Revocation Lists (CRLs) with orapki Utility

CRLs must be managed with orapki. This utility creates a hashed value of the CRL issuer's name to identify the CRLs location in your system. If you do not use orapki, your Oracle server cannot locate CRLs to validate PKI digital certificates. For detailed information about using orapki to manage CRLs refer to "Certificate Revocation List Management".

orapki Utility Commands Summary

This section lists and describes the following orapki commands:

orapki cert create

Purpose

Use this command to create a signed certificate for testing purposes.

Syntax

orapki cert create [-wallet <wallet_location>] -request <certificate_request_
location> -cert <certificate_location> -validity <number_of_days> [-summary]

orapki cert display

Purpose

Use this command to display details of a specific certificate.

Syntax

orapki cert display -cert <certificate_location> [-summary|-complete]

orapki crl delete

Purpose

Use this command to delete CRLs from Oracle Internet Directory. Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) directory group.

Prerequisites

None

Syntax

orapki crl delete -issuer <issuer_name> -ldap <hostname:ssl_port> -user 
<username> [-wallet <wallet_location>] [-summary]

orapki crl display

Purpose

Use this command to display specific CRLs that are stored in Oracle Internet Directory.

Syntax

orapki crl display -crl <crl_location> [-wallet <wallet_location>] 
[-summary|-complete]

orapki crl hash

Purpose

Use this command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.

Syntax

orapki crl hash -crl <crl_filename|URL> [-wallet <wallet_location>] 
[-symlink|-copy] <crl_directory> [-summary]

orapki crl list

Purpose

Use this command to display a list of CRLs stored in Oracle Internet Directory. This is useful for browsing to locate a particular CRL to view or download to your local file system.

Syntax

orapki crl list -ldap <hostname:ssl_port>

The -ldap parameter specifies the hostname and SSL port for the directory server from where you want to list CRLs. Note that this must be a directory SSL port with no authentication. See "Uploading CRLs to Oracle Internet Directory" for more information about this port.

orapki crl upload

Purpose

Use this command to upload certificate revocation lists (CRLs) to the CRL subtree in Oracle Internet Directory. Note that you must be a member of the directory administrative group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) to upload CRLs to the directory.

Syntax

orapki crl upload -crl <crl_location> -ldap <hostname:ssl_port> -user <username> 
[-wallet <wallet_location>] [-summary]

orapki wallet add

Purpose

Use this command to add certificate requests and certificates to an Oracle wallet.

Syntax

To add certificate requests:

orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize 
<512|1024|2048>

To add trusted certificates:

orapki wallet add -wallet <wallet_location> -trusted_cert -cert <certificate_
location>

To add root certificates:

orapki wallet add -wallet <wallet_location> -dn <certificate_dn> -keySize 
<512|1024|2048> -self_signed -validity <number_of_days>

To add user certificates:

orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_
location>

orapki wallet create

Purpose

Use this command to create an Oracle wallet or to set auto login on for an Oracle wallet.

Syntax

orapki wallet create -wallet <wallet_location> [-auto_login]

orapki wallet display

Purpose

Use this command to view the certificate requests, user certificates, and trusted certificates in an Oracle wallet.

Syntax

orapki wallet display -wallet <wallet_location>

orapki wallet export

Purpose

Use this command to export certificate requests and certificates from an Oracle wallet.

Syntax

To export a certificate from an Oracle wallet:

orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert 
<certificate_filename>

To export a certificate request from an Oracle wallet:

orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> 
-request <certificate_request_filename>