Support Status for Wildcard, SNI and SAN SSL Certificates for Oracle HTTP Server and Web Cache 11g/12c
(Doc ID 2225494.1)
Last updated on OCTOBER 22, 2020
Applies to:
Oracle Fusion Middleware - Version 11.1.1.1.0 and laterWeb Cache - Version 11.1.1.1.0 to 11.1.1.9.0 [Release Oracle11g]
Oracle HTTP Server - Version 11.1.1.1.0 and later
Information in this document applies to any platform.
Details
Overview
There is a question if Wildcard, Server Name Indication (SNI), and Subject Alternate Name (SAN) certificates are supported with Oracle HTTP Server (or any product using an Oracle Wallet). SSL Certificates for Oracle HTTP Server and Oracle Web Cache are set up using the Oracle Wallets and support must follow the same capabilities provided from the Oracle Wallet technology. There is a collaborative effort required to support the proper processing of SSL when using any new feature with these products.
The purpose of this new document is to track the progress of supporting the newer industry features of Wildcard, SNI, and SAN certificates for 11g and 12c releases.
Actions
Wild Card Certificates
See <Note 291774.1> for 10g where this was historically not supported by Oracle. The use of "wild card certificates" (a popular industry term) is supported with Oracle Wallets beginning with Oracle Wallet Manager (or orapki) 11g (which is initially released with Oracle Database 11g). This means a new certificate request may be generated when using '*' in CN, OU or O parameters of the request. Once the certificate vendor provides the certificate, you may then configure with Oracle Fusion Middleware 11g. The use of wildcard certificates will be supported from version 11.1.1.6 onwards (subject to error correction policies).
Note there may not be any Oracle Documentation for Wildcard (an unofficial industry term), but the newer Wallet Manager and orapki tools accept the "CN=*.<DOMAIN>.com" syntax.
Security Precaution: A certificate that just has "*" is not as secure, as it could map to any identity. On the other hand, there are real use cases for certificates with a CN such as "*.oracle.com" where one can host multiple secure virtual hosts under a single domain. This feature allows administrators to have two separate listeners on different IPs and/or ports using the same certificate/key, with a wildcard certificate. (again, "wildcard" is an industry term, and vendors may call them something different for marketing). Please use this feature to understand the security implications of implementing this approach within your environment and business requirements.
Update: Chrome 58 released an update where a "NET::ERR_CERT_COMMON_NAME_INVALID" warning occurs. Chrome is now enforcing the SAN (SubjectAltName) extension for wildcard certificates. See the section below for SAN certificate support.
Server Name Indication (SNI)
Comparisons to Apache are often made. Oracle HTTP Server 11g is based on Apache 2.2, where Apache 2.2.22 uses mod_ssl which has SNI support built into it to allow for Name Based SSL VirtualHosts. Oracle uses mod_ossl (relying on other Oracle SSL libraries) and it does not contain SNI support. An ER <Bug 16561658> has been filed. The documentation specifically says it is not supported:
12.2.1.4:
https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/12.2.1.4/administer-ohs/workwith.html#GUID-50D3453F-A01C-4DC9-A751-13ADEC534228
It says:
"
Restrictions
Oracle HTTP Server does not support Server Name Indication (SNI) extension. In absence of SNI support, when setting up more than one SSL enabled virtual host by using a certificate with several SubjectAltName extension entries, only the per-vhost mod_ossl directives set for the first virtual host are considered.
"... (example follows)
Contacts
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Details |
Overview |
Actions |
Wild Card Certificates |
Server Name Indication (SNI) |
Subject Alternative Name (SAN) |
Contacts |
References |