A certificate consists of digital data that specifies the name of an individual, company, or other entity, and certifies that the public key, included in the certificate, belongs to that individual. SSL enabled servers must have a certificate and clients may optionally have a certificate.
A certificate is issued and digitally signed by a Certificate Authority, or CA. The CA can be a company that sells certificates over the Internet, or it can be a department responsible for issuing certificates for your company’s intranet or extranet. You decide which CAs you trust enough to serve as verifiers of other people’s identities.
You can request a certificate and submit it to a Certificate Authority (CA). If your company has its own internal CA, request your certificate from them. If you plan to purchase your certificate from a commercial CA, choose a CA and ask for the specific format of the information they require. You can also create a self-signed certificate for the server. Self-signed certificates are not suitable for Internet-facing deployments but can be very useful for development and testing because they allow you to set up test servers without CA involvement.
As mentioned above, a certificate includes the public key of the entity (the web server in this case). A public key is generated based on a particular algorithm (the algorithm type is also encoded in the certificate). The next section provides background on the algorithm types supported by the Web Server for its keys.
Click Server Certificates tab > Request button.
Select a Configuration
Select a configuration from the configuration list for which you need to install the certificate.
Select the token (Cryptographic Device), which contains the keys. If your key is stored in the local key database maintained by the server. If your key is stored in a Smart Card or other external device or engine, choose the name of the external token from the drop down list box. Enter the password for the selected token.
Before you begin the request process, make sure you know what information your CA requires. Whether you are requesting a server certificate from a commercial CA or an internal CA, you need to provide the following information:
Server Name must be the fully qualified hostname used in DNS lookups (for example, www.sun.com). This is the hostname in the URL that a browser uses to connect to your site. If these two names do not match, a client is notified that the certificate name doesn’t match the site name, creating doubt about the authenticity of your certificate.
You can also enter wildcard and regular expressions in this field if you are requesting a certificate from an internal CA. Most vendors will not approve a certificate request with a wildcard or regular expression entered for common name.
Organization is the official, legal name of your company, educational institution, partnership, and so on. Most CAs require that you verify this information with legal documents (such as a copy of a business license).
Organizational Unit is an optional field that describes an organization within your company. This can also be used to note a less formal company name (without the Inc., Corp., and so on).
Locality is an optional field that usually describes the city, principality, for the organization.
State or Province is optional.
Country is a two-character abbreviation of your country name (in ISO format). The country code for the United States is US.
All this information is combined as a series of attribute-value pairs called the distinguished name (DN), which forms the subject of the certificate.
Choose Certificate Options
You are required to provide the key information. For key type, you can choose RSA or ECC. If the key type is RSA, the key size can be 1024, 2048 or 4098. If your key type is ECC you will also need to select a curve. Keep in mind that generating a new key pair takes time. The longer the key length the longer the time the wizard takes to generate it.
Be sure to select a key type that the CA (to which you will later submit the request for signing) can support.
Select Certificate Type
Select the Certificate Signing Authority (CSA) for the certificate (Self signed or CA signed). If you are selecting a self-signed certificate, you can also associate an HTTP Listener for the certificate. You can also perform this action later.
The generated certificate request will be available in ASCII format in case of CA signed certificate. In case of self signed certificate, it will be installed directly. If the type is self signed, provide values for nickname, validity (Months) and the HTTP Listener name for handling secure requests.
This page provides you with the summary of selected options. Click on Finish to complete the request generation.
To request a certificate through CLI, execute the following command.
wadm> create-cert-request --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --config=config1 --server-name=servername.org --org=sun --country=ABC --state=DEF --locality=XYZ --token=internal
See CLI Reference, create-cert-request(1).
For creating self signed certificate through CLI, see Creating a Self-Signed Certificate.
This section describes how to configure Solaris cryptographic for use with Web Server.
Remove the ./sunw directory from your machine using the following command.
%rm -rf $HOME/.sunw
Set a new pin using the following command:
% pktool setpin Enter new PIN:<type the pin here>
Re-enter new PIN:<retype the pin again>
Disable the mechanisms in the pkcs11_kernel.so and pkcs11_softtoken.so files using the following command:
#cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_kernel.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEYAND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
#cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEYAND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
Ensure to disable mechanisms in pkcs11_softtoken_extra.so file, if it is used.
Type the following command to add the Solaris crypto framework to network security services (NSS) in the config directory
$ cd <install-dir>/<instance-dir>/lib/modutil -dbdir <install-dir>/<instance-dir>/config -nocertdb -add "scf" -libfile /usr/lib/libpkcs11.so -mechanisms RSA
Verify the registration using the following command:
$cd <install-dir>/<instance-dir>/lib/modutil -dbdir <install-dir>/<instance-dir>/config -nocertdb -list
Listing of PKCS #11 Modules 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. scf library name: /usr/lib/libpkcs11.so slots: 1 slot attached status: loaded slot: Sun Crypto Softtoken token: Sun Software PKCS#11 softtoken 3. Root Certs library name: libnssckbi.so slots: There are no slots attached to this module status: Not loaded
For more information on creating server certificates, see Requesting a Certificate
If certificates exists in NSS database, you can export or import the certificates using the following pk12util command:
$pk12util -o server.pk12 -d . -n <server-cert>
$pk12util -i server.pk12 -d . -h "Sun Software PKCS#11 softtoken"
By default, certutil/pk12util searches the databases for cert8.db and key3.db. Add -P as the prefix for the Web Server, which uses the alternate names https-instance-hostname-cert8.db and https-instance-hostname-key3.db.
From the home page, click the Configurations tab
In the Configuration page, click the configuration that you want to enable the PKCS#11 and Allow Bypass option
Click the Certificates tab
Click the PKCS#11 Tokens sub tab
In General Settings, select the check boxes to enable PKCS#11 and Allow Bypass
Click the Save button
See CLI reference, set-pkcs11-prop(1).
Start the wadm from the installation directory and perform the following steps:
$wadm --user=admin Please enter admin-user-password>enter the administration serverpassword $wadm>list-tokens --config=test.sun.com internal Sun Software PKCS#11 softtoken $wadm>create-selfsigned-cert --config=test.sun.com --server-name=test.sun.com --nickname=MyCert --token="Sun Software PKCS#11 softtoken" Please enter token-pin>enter the password CLI201 Command 'create-selfsigned-cert' ran successfully $wadm>set-ssl-prop --config=test.sun.com --http-listener=http-listener-1 enabled=true server-cert-nickname="Sun Software PKCS#11 softtoken:MyCert" CLI201 Command 'set-ssl-prop' ran successfully $wadm>deploy-config test.sun.com CLI201 Command 'deploy-config' ran success
Now, start the Administration Server.
$ cd <install-dir>/<instance-dir>/bin/startserv Sun Java System Web Server 7.0 Update 2 Please enter the PIN for the "Sun Software PKCS#11 softtoken" token:enter the password info: HTTP3072: http-listener-1: https://test.sun.com:2222 ready to accept requests info: CORE3274: successful server startup
After obtaining the certificate from a CA, you can install the certificate for a configuration using the Administration Console.
Click Server Certificates tab > Install button.
Select a configuration from the configuration list for which you need to install the certificate.
Select the token (Cryptographic Device), which contains the keys. If your key is stored in the local key database maintained by the server, choose internal. If your key is stored in a Smart Card or other external device or engine, choose the name of the external token from the drop down list box. Enter the password for the selected token.
Enter Certificate Data
Paste the certificate text in the text area provided. When you copy and paste the text, be sure to include the headers “Begin Certificate” and “End Certificate” — including the beginning and ending hyphens. You can also click Browse button and select the .DER file manually.
Provide Certificate Details
Provide a nickname to be used for the certificate. Select the HTTP Listener from the available list for handling the secure requests. You can also select the self signed certificate option.
This page provides you with the summary of selected options. Click on Finish to complete the installation process.
For installing a certificate through CLI, execute the following command.
wadm> install-cert --user=admin --port=8989 --password-file=admin.pwd --config=config1 --token=internal --cert-type=server --nickname=cert1 cert.req
where cert.req contains the certificate data.
See CLI Reference, install-cert(1).
You can request and install certificates from other certificate authorities. A list of CAs are available in the industry. This section describes how you can request and install external server certificates.
Perform the steps 1– 5, as described in the To Request a Certificate section. Follow the instructions to complete the request for external certificate.
In the Certificate Type wizard, select the CA Signed Certificate option and click the Next button.
Review page is displayed. Verify the settings and click the Finish button.
Copy the Certificate Signing Requests (CSR) including the headers and click the Close button.
Go to the certificate authorities web site, complete the formalities to get the certificate signed by the authority.
Save the certificate in a local folder or copy the certificate from the web site.
To install the obtained certificate, perform the steps 1–3, as described in the To Install a Certificate. Follow the instructions to complete the installation of external certificates.
In the Enter Certificate Data page, paste the certificate or provide the path of the file that you have saved in the machine. Click the Next button.
Enter the nick name for the certificate and select the listener from the drop-down list. Click the Next button.
Review page is displayed. Click the Finish button to complete the installation.
For more information on setting a token pin, see To Set the Token Password.
You can renew an existing certificate by following these steps:
Click Server Certificates tab > Certificate Name > Renew button.
Provide Token Information
Enter the password for the token if required. Otherwise click Next to continue.
Update Certificate Details
Review the certificate details and provide the validity period in months.
Update Key Information
For key type, you can choose RSA or ECC. If the key type is RSA, the key size can be 1024, 2048 or 4098. If your key type is ECC you will also need to select a curve. Keep in mind that generating a new key pair takes time.
This page provides you with the summary of selected options. Click on Finish to complete the renewal process.
You must restart the administration server and node, after the administration server certificates are renewed.
For deleting certificates, perform the following tasks:
Click Server Certificates tab.
Select the certificate
Select the certificate name from the certificate list.
Click Delete button to delete the selected certificate.
For deleting a certificate through the CLI, execute the following command:
wadm> delete-cert --user=admin --port=8989 --password-file=admin.pwd --token=internal --config=config1 cert1
See CLI Reference, delete-cert(1).
Fore renewing the administration server certificates, execute the command renew-admin-certs CLI command. Use this command to renew the administration certifications with the nicknames Admin-CA-Cert, Admin-Server-Cert, and Admin-Client-Cert. This command also updates the nodes that are currently running and are accessible with the renewed certificates.
After executing this command, it is recommended that you restart the administration servers and nodes so that the new certificates will be in effect. It is necessary that you re-register a node if the node was offline (not running or was not accessible due to network problems) during the renewal of the certificates. For renewing the administration server certificates, execute the following command.
wadm> renew-admin-certs --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --validity=120
See CLI Reference, renew-admin-certs(1).