My Oracle Support Banner

Client Authentication Is Allowing Authentication From A Different CA Chain (Doc ID 454068.1)

Last updated on OCTOBER 31, 2022

Applies to:

Oracle HTTP Server - Version to [Release AS10gR2 to Oracle11g]
Web Cache - Version 10.1.2 to [Release AS10gR2 to Oracle11g]
Information in this document applies to any platform.
Web Cache - Version: 10.1.2 to
This problem can occur on any platform.


- Certificates have been created with the following CA hierarchy

ROOT_CA ----> SUBCA1 -----> server_subca1.crt, client_subca1.crt
     -------------->SUBCA2 -----> server_subca2.crt, client_subca2.crt

- Webcache or HTTP Server is configured for SSL Client Authentication, and is using a Wallet with a server certificate issued by SUBCA1 (server_subca1.crt).
- The Wallet therefore contains in its Trusted Certificate list: ROOTCA and SUBCA1
- The aim is to configure Webcache or HTTP Server to use client certificates so that only users with a client certificate from SUBCA1 (client_subca1.crt) can access the site
- The problem is a client certificate generated via SUBCA2 (client_subca2.crt) can still access the site, when in theory it should not be able to




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.