3-18 Understanding Security for Oracle WebLogic Server using the corresponding private key and vice versa. The private key is carefully protected so that only the owner can decrypt messages that were encrypted using the public key.

3.6.2 Digital Certificates

Digital certificates are electronic documents used to verify the unique identities of principals and entities over networks such as the Internet. A digital certificate securely binds the identity of a user or entity, as verified by a trusted third party known as a certificate authority, to a particular public key. The combination of the public key and the private key provides a unique identity to the owner of the digital certificate. Digital certificates enable verification of the claim that a specific public key does in fact belong to a specific user or entity. A recipient of a digital certificate can use the public key in a digital certificate to verify that a digital signature was created with the corresponding private key. If such verification is successful, this chain of reasoning provides assurance that the corresponding private key is held by the subject named in the digital certificate, and that the digital signature was created by that subject. A digital certificate typically includes a variety of information, such as the following: ■ The name of the subject holder, owner and other information required to confirm the unique identity of the subject, such as the URL of the Web server using the digital certificate, or an individuals e-mail address ■ The subjects public key ■ The name of the certificate authority that issued the digital certificate ■ A serial number ■ The validity period or lifetime of the digital certificate defined by a start date and an end date The most widely accepted format for digital certificates is defined by the ITU-T X.509 international standard. Digital certificates can be read or written by any application complying with the X.509 standard. The public key infrastructure PKI in WebLogic Server recognizes digital certificates that comply with X.509 version 3, or X.509v3. Oracle recommends obtaining digital certificates from a certificate authority such as Verisign or Entrust. For more information, see Configuring SSL in Securing Oracle WebLogic Server.

3.6.3 Certificate Authorities

Digital certificates are issued by certificate authorities. Any trusted, third-party organization or company that is willing to vouch for the identities of those to whom it issues digital certificates and public keys can be a certificate authority. When a certificate authority creates a digital certificate, the certificate authority signs it with its private key, to ensure that any tampering will be detected. The certificate authority then returns the signed digital certificate to the requesting party. The requesting party can verify the signature of the issuing certificate authority by using the public key of the certificate authority. The certificate authority makes its public key available by providing a certificate issued from a higher-level certificate authority attesting to the validity of the public key of the lower-level certificate authority. This scheme gives rise to hierarchies of certificate authorities. This hierarchy is terminated by a top-level, self-signed certificate known as the root certificate, because no other public key is needed to certify it. Root certificates are issued by trusted root Certificate Authorities. Security Fundamentals 3-19 If the recipient has a digital certificate containing the public key of the certificate authority signed by a superior certificate authority who the recipient already trusts, the recipient of an encrypted message can develop trust in the public key of a certificate authority recursively. In this sense, a digital certificate is a stepping stone in digital trust. Ultimately, it is necessary to trust only the public keys of a small number of top-level certificate authorities. Through a chain of certificates, trust in a large number of users digital signatures can be established. Thus, digital signatures establish the identities of communicating entities, but a digital signature can be trusted only to the extent that the public key for verifying it can be trusted. For more information, see Configuring SSL in Securing Oracle WebLogic Server.

3.6.4 Certificate Lookup and Validation