Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide

ProcedureTo Request a CA-Signed Certificate for Directory Proxy Server

Self-signed certificates are useful for test purposes. However, in a production environment, using trusted Certificate Authority (CA) certificates is more secure.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Request a CA-signed server certificate.

    $ dpadm request-cert instance-path cert-alias

    where cert-alias is the name of the certificate that you are requesting. Certificate Authorities might require all of the options of the command to identify the server. For a description of all command options, see the dpadm(1M) man page.

    The process for obtaining a CA certificate depends on the CA that you use. Some commercial CAs provide a web site that allows you to download the certificate. Other CAs will send the certificate to you in email.

    For example, you could request a certificate called my-CA-signed-cert as follows:

    $ dpadm request-cert -S cn=my-request,o=test /local/dps my-CA-signed-cert

    When you request a certificate by using the dpadm request-cert command, the certificate request is a PKCS #10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is the format specified by RFCs 1421 through 1424. For more information, see The PEM format represents a base64-encoded certificate request in ASCII format.

    When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.

  2. Send the certificate request to the CA, according to its procedures.

    After you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, the response time can be short. However, if the CA is external to your company, the CA can take several weeks to respond to your request.

  3. Save the certificate that you receive from the CA.

    Save your certificate in a text file, and back up the certificate in a safe location.