Managing Keystores, Wallets, and Certificates 8-19 3. Import the newly issued certificate into the keystore using the same alias as that of the key-pair. 4. If the new certificate was issued by a CA other than the one that issued the original certificate, you may also need to import the new CAs trusted certificate before importing the newly issued certificate.

8.3.6.3 Effect of Host Name Change on Keystores

Typically, the certificate DN is based on the host name of the server where the keystore is used. For example, if a keystore is being created for the Oracle Virtual Directory server on host my.example.com, then the DN of the certificate in this Oracle Virtual Directory keystore will be something like: CN=my.example.com,O=organization name This synchronization is required because most clients do host name verification during the SSL handshake. Clients that perform host name verification include Web browsers and Oracle HTTP Client, among others. If the host name of the server does not match that of the certificate DN: ■ A clear warning is displayed in the case of browser clients. ■ There may be SSL handshake failure in the case of other clients. Thus, whenever you have a keystore on a server that is accepting requests from clients, you must ensure that whenever the host name of this server changes, you also update the certificate in the keystore. This can be done by requesting a new certificate with a new DN based on the new host name. For a Production Keystore The steps are: 1. Generate a new request with the new DN based on a new host name. 2. Send this request to a certificate authority CA. 3. Get back a new certificate from the CA. 4. Import the new certificate with the same alias as the key-pair for which certificate request was generated. For a Self-signed Keystore The steps are: 1. Delete the existing keystore. 2. Create a new keystore with a key-pair using the new DN based on the new host name. For Both Keystore Types For both production and self-signed keystores, once the new certificate is available in the keystore, ensure that it is imported into all the component keystores where it needs to be trusted. For example, if the HTTP listener on Oracle Virtual Directory was SSL-enabled and its certificate changed due to a host name change, then you need to 8-20 Oracle Fusion Middleware Administrators Guide import its new certificate into the client keystore or browser repository so that it can trust its new peer.

8.4 Wallet Management

This section contains the following topics: ■ About Wallets and Certificates ■ Accessing the Wallet Management Page in Fusion Middleware Control ■ Managing the Wallet Life Cycle ■ Common Wallet Operations ■ Managing the Certificate Life Cycle ■ Accessing the Certificate Management Page for Wallets in Fusion Middleware Control ■ Common Certificate Operations ■ Wallet and Certificate Maintenance

8.4.1 About Wallets and Certificates

This section contains the following topics: ■ Password-Protected and Autologin Wallets ■ Self-Signed and Third-Party Wallets ■ Sharing Wallets Across Instances ■ Wallet Naming Conventions

8.4.1.1 Password-Protected and Autologin Wallets

You can create two types of wallets: ■ Auto-login wallet This is an obfuscated form of a PKCS12 wallet that provides PKI-based access to services and applications without requiring a password at runtime. You can also add to, modify, or delete the wallet without needing a password. File system permissions provide the necessary security for auto-login wallets. ■ Password-protected wallet As the name suggests, this type of wallet is protected by a password. Any addition, modification, or deletion to the wallet content requires a password. Note: In previous releases, you could create a wallet with a password and then enable auto-login to create an obfuscated wallet. With 11g Release 1 11.1.1, auto-login wallets are created without a password. When using such a wallet, you do not need to specify a password. If using an auto-login wallet without a password, specify a null password in the ldapbind command. Older type of wallets such as Release 10g wallets will continue to work as they did earlier.