Sun Java System Messaging Server 6.3 Administration Guide To Install Certificates of Trusted CAs

Use ./msgcert add-cert to install the certificates of certificate authorities. A CA certificate validates the identity of the CA itself. The server uses these CA certificates in the process of authenticating clients and other servers.

If, for example, you set up your enterprise for certificate-based client authentication in addition to password-based authentication (see “Setting Up Certificate-Based Login” on page 157), you need to install the CA certificates of all CAs that are trusted to issue the certificates that your clients may present. These CAs may be internal to your organization or they may be external, representing commercial or governmental authorities or other enterprises. (For more details on the use of CA certificates for authentication, see Introduction to Public-Key Cryptography in in Managing Servers With iPlanet Console 5.0.)

When installed, Messaging Server initially contains CA certificates for several commercial CAs. If you need to add other commercial CAs or if your enterprise is developing its own CA for internal use (using Sun Java System Certificate Server), you need to obtain and install additional CA certificates.

Note –

The CA certificates automatically provided with Messaging Server are not initially marked as trusted for client certificates. You need to edit the trust settings if you want to trust client certificates issued by these CAs. For instructions, see 23.5.1 Obtaining Certificates.

The following procedure describes the process of requesting and installing CA-signed server and trusted CA certificates for use with Messaging Server.

ProcedureTo Request a CA-Signed Server Certificate

You can also use the Directory Server Admin Console to perform this task.

  1. Generate a CA--signed server certificate request.

    msgcert request-cert [-W CERT_PW_FILE] {-S DN|--name NAME [--org ORG] [--org-unit ORG-UNIT]
       [--city CITY] [--state STATE] [--country COUNTRY] } [-F FORMAT] [-o OUTPUT_FILE]

    Below is an example of a request for a CA-signed server certificate. It returns the certificate in binary format:

    ./msgcert request-cert --name aqua --org siroe --org-unit Messaging -o my_ca_signed_request_cert

    To return the certificate in ASCII format use the command as follows:

    ./msgcert request-cert --name aqua --org siroe --org-unit Messaging -F ascii -o my_casigned_request_cert

    Certificate Authorities usually require all of the attributes that are shown in this example in order to completely identify the server. For a description of each attribute, enter ./msgcert request-cert --help. When you request a certificate by using msgcert request-cert, the resulting certificate request is a binary certificate request unless you specify ASCII as output format. If you specify ASCII, the resulting certificate request is a PKCS #10 certificate request in PEM format. PEM is the Privacy Enhanced Mail format specified by RFCs 1421 through 1424 and used to represent a base64-encoded certificate request in US-ASCII characters. The content of the request look similar to the following example:

  2. Transmit the certificate request to your Certificate Authority, according to its procedures.

    The process for obtaining your Certificate Authority certificate differs depending on the certificate authority you use. Some commercial CAs provide a website that allows you to automatically download the certificate. Other CAs will email it to you upon request.

    After you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, the CA might only take a day or two to respond to your request. If your selected CA is external to your company, the CA could take several weeks to respond to your request.

  3. Save the certificate you receive back from the Certificate Authority.

    You should back up your certificates in a safe location. If you ever lose the certificates, you can reinstall them by using your backup file. You can save them in text files. The PKCS #11 certificate in PEM format looks similar to the following example.

    -----END CERTIFICATE-----

ProcedureTo Add the CA-Signed Server Certificate and Trusted CA Certificate

You can also use the Directory Server Admin Console to perform this task.

  1. Add the CA--signed server certificate using the following command:

    msgcert add-cert cert_alias cert_file

    Where cert_alias is a name which you give to identify your certificate, and cert_file is the text file containing the PKCS #11 certificate in PEM format.

    For example, to install a CA-signed server certificate, you might use a command similar to:

    msgcert add-cert /my_cert/server-cert-file

    The certificate is now installed, but is not yet trusted. To trust the CA-signed server certificate, you must install the Certificate Authority certificate.

  2. Add the trusted Certificate Authority certificate using the following command:

    msgcert add-cert -C cert_alias cert_file

    The -C option indicates that the certificate is a trusted Certificate Authority certificate.

    For example, to install a trusted certificate from a Certificate Authority, you might use the command:

    msgcert add-cert -C CA-cert /my_cert/ca-cert-file
  3. Optionally, use the following command to verify your installed certificates:

    To list all server certificates, showing information such as alias and validity dates:

    msgcert list-certs

    The Messaging server will have a default certificate called Server-Cert when generated with ./msgcert generate-CertDB . The text Same as issuer indicates that the default certificate is a self-signed server certificate. For example:

    # ./msgcert list-certs
    Enter the certificate database password:
    Alias          Valid from       Expires on       Self-   Issued by               Issued to
    ------------   ----------------  --------------- ------  ---------------------   --------------
    SelfSignedCrt 2006/07/28 12:58  2006/10/28 12:58   y     CN=SFO,L=SC,ST=ca,C=us  Same as issuer
    Server-Cert   2006/07/28 07:47  2006/10/28 07:47   y     CN=perseids             Same as issuer
    2 certificates found

    To list trusted CA certificates:

    msgcert list-certs -C

    To view the details of a certificate, including the certificate expiry date:

    msgcert show-cert cert_alias

    For example, to show a self-signed certificate:

    # ./msgcert show-cert MySelfSigned-Cert
    Enter the certificate database password:
            Version: 3 (0x2)
            Serial Number:
            Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                Not Before: Fri Jul 28 19:58:31 2006
                Not After : Sat Oct 28 19:58:31 2006
            Subject Public Key Info:
                Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Exponent: 65537 (0x10001)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Fingerprint (MD5):
        Fingerprint (SHA1):
        Certificate Trust Flags:
            SSL Flags:
                Valid CA
                Trusted CA
                Trusted Client CA
            Email Flags:
            Object Signing Flags:

ProcedureRenewing an Expired CA-Signed Server Certificate

When your CA-signed server certificate (public and private key) expires, you can renew it by using the following procedure. You can also use the Directory Server Admin Console to perform this task.

  1. Obtain an updated CA-signed server certificate from your Certificate Authority.

  2. Once you receive the updated certificate, install the certificate.

    msgcert renew-cert cert_alias cert_file

ProcedureTo Export and Import a CA-Signed Server Certificate

In some cases you might want to export a certificate so that you can later import the certificate, for example, to another host. You can also use the Directory Server Admin Console to perform this task.

  1. Export the certificate.

    msgcert export-cert [-o OUTPUT_FILE] CERT_ALIAS

    For example:

    $ ./msgcert export-cert -o /tmp/first-certificate "First Certificate"
    $./msgcert export-cert -o /tmp/first-server-certificate Server-Cert
    Choose the PKCS#12 file password:
    Confirm the PKCS#12 file password:
    $ls /tmp
  2. Import the certificate.

    $ msgcert import-cert  CERT_FILE

    For example, to import the certificate

    $ msgcert import-cert /tmp/first-server-certificate
    Enter the PKCS#12 file password: