|
|
Generating and Installing SSL
Certificates
|
This appendix provides information on SSL certificates. An SSL certificate provides encryption and decryption capabilities using a public and private key pair.
i-Planet software supports SSL certificates generated by you (self-signed certificates) or purchased from an official certificate authority. Self-signed certificates and web certificates purchased from certificate authority vendors are stored in the rp.keystore file; root certificates purchased from certificate authority vendors are stored in the rp.CAstore file. You should maintain backup copies of these files.
During i-Planet software installation, you created and installed a self-signed SSL certificate. At some point after installation, you might want to generate a new self-signed certificate; you might want to change the information for the certificate you entered during the original installation, for example.
 |
To generate a self-signed certificate
|
| |
1. |
As root, run the certadmin script on the i-Planet gateway or server, as appropriate.
|
# /opt/SUNWsnrp/bin/certadmin
|
|
| |
|
The Certificate Administration menu is displayed:
|
1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]
|
|
| |
2. |
Enter 1 on the Certificate Administration menu to generate a self-signed certificate. |
| |
|
The Certificate Administration script prompts you to enter certain organization-specific information and a passphrase for the self-signed certificate:
|
What is the fully qualified DNS name of this host? [hostname.domainname]
What is the name of your organization? []
What is the name of your organizational unit? []
What is the name of your City or Locality? []
What is the name of your State or Province? []
What is the two-letter country code for this unit? []
...
Enter passphrase []
|
|
| |
3. |
Enter your organization-specific information and a passphrase for the self-signed certificate. |
| |
|
A self-signed certificate is generated and your prompt returns. |
| |
4. |
Restart the i-Planet gateway for the certificate to take effect. |
|
|
To restart the i-Planet gateway:
|
# /opt/SUNWsnrp/bin/iplanet_gw stop
# /opt/SUNWsnrp/bin/iplanet_gw start
|
|
During i-Planet software installation, you created and installed a self-signed SSL certificate. At any point after installation, you have the option to install SSL certificates signed by vendors who provide official certificate authority (CA) services. A certificate from a CA vendor is necessary for the i-Planet server if you are using SSL between the i-Planet gateway and the i-Planet server.
i-Planet software contains root certificates that can be used with SSL certificates from Verisign, Inc. If you decide to install an SSL certificate from a vendor other than Verisign, you must install a root certificate from that vendor first, and then install the web server certificate.
Certificates are stored in the rp.keystore file. Once you generate a certificate signing request (used to request a certificate from a third-party vendor), make sure you keep a backup copy of the rp.keystore file. This file contains your private key, which is associated with the certificate that you purchase; if you lose the file, you will not be able to use the certificate that you bought.
| |
To install SSL certificates from Verisign
|
| |
1. |
As root, run the certadmin script on the i-Planet gateway or server, as appropriate.
|
# /opt/SUNWsnrp/bin/certadmin
|
|
| |
|
The Certificate Administration menu is displayed:
|
1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]
|
|
| |
2. |
Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR). |
|
|
If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure, "To generate a self-signed certificate" earlier in this chapter. |
|
|
If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:.
|
Is this information correct (y/n)? [n]
|
|
| |
a. |
Enter y if the information is correct or enter n if it is not correct.
|
| |
|
If you enter y, the Certificate Administration script asks you to enter various organization-specific information:
|
What is the name of the admin/webmaster for this server? []
What is the email address of the admin/webmaster for this server? []
What is the phone number of the admin/webmaster for this server? []
|
|
| |
b. |
Enter your organization-specific information.
|
| |
|
The Certificate Administration script displays the values you enter and asks the question:.
|
Are these values correct (y/n)? [n]
|
|
| |
c. |
Enter y if the information is correct or enter n if it is not correct.
|
| |
|
If you enter y, a CSR is generated and stored in the file /tmp/csr.hostname. |
| |
|
If you enter n, the Certificate Administration script asks you to enter the values again. |
| |
3. |
Go to the Certificate Authority's website and order your web server certificate. |
| |
a. |
Provide information from your CSR, as requested by the CA.
|
| |
b. |
Provide other information, as requested by the CA, such as a passphrase.
|
| |
c. |
Specify your web server type as: Java Webserver.
|
| |
|
Specifying Java Webserver means that you want your certificate in PEM format. |
| |
4. |
After you receive your certificate from the CA, save it in a file. |
| |
|
The certificate begins with a line that reads: |
-----BEGIN CERTIFICATE----
| |
|
continues with the certificate itself, and ends with a line that reads: |
-----END CERTIFICATE-----
| |
|
Make sure you include both of these lines with the certificate in the file. |
| |
5. |
As root, run the certadmin script on the i-Planet gateway or server, as appropriate.
|
# /opt/SUNWsnrp/bin/certadmin
|
|
| |
|
The Certificate Administration menu is displayed:
|
1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]
|
|
| |
6. |
Enter 4 on the Certificate Administration menu to install your certificate from the CA. |
| |
|
The Certificate Administration script asks the question:.
|
What is the name (including path) of the file that contains the
certificate? []
|
|
| |
7. |
Enter the full path to the file containing the certificate. |
| |
|
Your certificate is stored in the rp.keystore file and your prompt returns. |
| |
8. |
Restart the i-Planet gateway or server, as appropriate, for the certificate to take effect. |
|
|
To restart the i-Planet gateway:
|
# /opt/SUNWsnrp/bin/iplanet_gw stop
# /opt/SUNWsnrp/bin/iplanet_gw start
|
|
|
|
To restart the i-Planet server:
|
# /opt/SUNWjeev/bin/iplanet_serv stop
# /opt/SUNWjeev/bin/iplanet_serv start
|
|
| |
9. |
Make a backup copy of the rp.keystore file. |
| |
To install SSL root certificates and SSL certificates from other vendors
|
| |
|
You must have already generated a self-signed certificate to install a root certificate. |
| |
1. |
Go to the Certificate Authority's website and download its root certificate. |
| |
|
The website should contain instructions for downloading the certificate, usually as a file. |
| |
2. |
As root, run the certadmin script on the i-Planet gateway or server, as appropriate.
|
# /opt/SUNWsnrp/bin/certadmin
|
|
| |
|
The Certificate Administration menu is displayed:
|
1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]
|
|
| |
3. |
Enter 3 on the Certificate Administration menu to add a root certificate. |
| |
|
The Certificate Administration script asks the question:.
|
What is the name (including path) of the file that contains the
root certificate that you would like to add to your database? []
|
|
| |
a. |
Enter the full path to the file containing the root certificate.
|
| |
|
The file is displayed and the Certificate Administration script asks the question:.
|
Is this information correct (y/n)? [n]
|
|
| |
b. |
Enter y if the file is correct, or n if it is not.
|
| |
|
If you enter y, the root certificate is stored in the rp.CAstore file and your prompt returns. |
| |
|
If you enter n, the root certificate is not added and your prompt returns. |
| |
4. |
As root, run the certadmin script on the i-Planet gateway or server, as appropriate.
|
# /opt/SUNWsnrp/bin/certadmin
|
|
| |
5. |
Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR). |
|
|
If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure, "To generate a self-signed certificate" earlier in this chapter. |
|
|
If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:.
|
Is this information correct (y/n)? [n]
|
|
| |
a. |
Enter y if the information is correct or enter n if it is not correct.
|
| |
|
If you enter y, the Certificate Administration script asks you to enter various organization-specific information:
|
What is the name of the admin/webmaster for this server? []
What is the email address of the admin/webmaster for this server? []
What is the phone number of the admin/webmaster for this server? []
|
|
| |
b. |
Enter your organization-specific information.
|
| |
|
The Certificate Administration script displays the values you enter and asks the question:.
|
Are these values correct (y/n)? [n]
|
|
| |
c. |
Enter y if the information is correct or enter n if it is not correct.
|
| |
|
If you enter y, a CSR is generated and stored in the file /tmp/csr.hostname. |
| |
|
If you enter n, the Certificate Administration script asks you to enter the values again. |
| |
6. |
Return to the Certificate Authority's website and order your web server certificate. |
| |
a. |
Provide information from your CSR, as requested by the CA.
|
| |
b. |
Provide other information, as requested by the CA, such as a passphrase.
|
| |
c. |
Specify your web server type as: Java Webserver.
|
| |
|
Specifying Java Webserver means that you want your certificate in PEM format. |
| |
7. |
After you receive your certificate from the CA, save it in a file. |
| |
|
The certificate begins with a line that reads: |
-----BEGIN CERTIFICATE----
| |
|
continues with the certificate itself, and ends with a line that reads: |
-----END CERTIFICATE-----
| |
|
Make sure you include both of these lines with the certificate in the file. |
| |
8. |
As root, run the certadmin script on the i-Planet gateway or server, as appropriate.
|
# /opt/SUNWsnrp/bin/certadmin
|
|
| |
|
The Certificate Administration menu is displayed:
|
1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]
|
|
| |
9. |
Enter 4 on the Certificate Administration menu to install your certificate from the CA. |
| |
|
The Certificate Administration script asks the question:.
|
What is the name (including path) of the file that contains the
certificate? []
|
|
| |
10. |
Enter the full path to the file containing the certificate. |
| |
|
Your certificate is stored in the rp.keystore file and your prompt returns. |
| |
11. |
Restart the i-Planet gateway or server, as appropriate, for the certificate to take effect. |
|
|
To restart the i-Planet gateway:
|
# /opt/SUNWsnrp/bin/iplanet_gw stop
# /opt/SUNWsnrp/bin/iplanet_gw start
|
|
|
|
To restart the i-Planet server:
|
# /opt/SUNWjeev/bin/iplanet_serv stop
# /opt/SUNWjeev/bin/iplanet_serv start
|
|
| |
12. |
Make a backup copy of the rp.keystore file. |
Copyright © 1999 Sun Microsystems, Inc. All Rights Reserved.