Sun Java System Web Server 6.1 SP11 Administrator's Guide

Requesting and Installing Other Server Certificates

Besides VeriSign, you can request and install certificates from other certificate authorities. A list of CAs is available through both Server Administrator, and Server Manager Security Pages under Request a Certificate. Your organization might provide its own internal certificates. This section describes how you would request and install other types of server certificates.

Required CA Information

Before you begin the request process, make sure you know what information your CA requires. Whether you request a server certificate from a commercial CA or an internal CA, you must provide the following information:

All this information is combined as a series of attribute-value pairs called the distinguished name (DN), which uniquely identifies the subject of the certificate.

If you purchase your certificate from a commercial CA, contact the CA to find out if any additional information is required before a certificate is issued. Most CAs require proof of your identity. For example, to verify your company name and the person authorized to administer the server by the company, they might investigate your legal right to use information you provided.

Some commercial CAs offer certificates with greater detail and veracity to organizations or individuals who provide more thorough identification. For example, you might be able to purchase a certificate stating that the CA has not only verified that you are the rightful administrator of the www.sun.com computer, but that you are a company that has been in business for three years, and have no outstanding customer litigation.

ProcedureTo request other server certificates

To request a certificate, perform the following steps:

  1. Access either the Administration Server or the Server Manager and choose the Security tab.

    From the Server Manager first select the server instance from the drop-down list.

  2. Click the Request a Certificate link.

  3. Select if this is a new certificate or a certificate renewal.

    Many certificates expire after a set period of time, such as six months or a year. Some CAs will automatically send you a renewal.

  4. Perform the following steps to specify how you want to submit the request for the certificate:

    • If the CA expects to receive the request in an email message, check CA Email and enter the email address of the CA. For a list of CAs, click List of available certificate authorities.

      • If you are requesting the certificate from an internal CA that is using Netscape Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate server’s program that handles certificate requests. A sample URL might be: https://CA.mozilla.com:444/cms.

  5. Select the cryptographic module for the key-pair file you want to use when requesting the certificate from the drop-down list.

  6. Enter the password for your key-pair file.

    This is the password you specified when you created the trust database, unless you selected a cryptographic module other than the internal module. The server uses the password to get your private key and encrypt a message to the CA. The server then sends both your public key and the encrypted message to the CA. The CA uses the public key to decrypt your message.

  7. Enter your identification information.

    The format of this information varies by CA. For a general description of these fields, a list of Certificate Authorities is available through both Server Administrator, and Server Manager Security Pages under Request a Certificate. Note that most of this information usually isn’t required for a certificate renewal.

  8. Double-check your work to ensure accuracy.

    The more accurate the information, the faster your certificate is likely to be approved. If your request is going to a certificate server, you are prompted to verify the form information before the request gest submitted.

  9. Click OK.

  10. For the Server Manager, click Apply, and then Restart for changes to take effect.

    The server generates a certificate request that contains your information. The request has a digital signature created with your private key. The CA uses a digital signature to verify that the request wasn’t tampered with during routing from your server machine to the CA. In the rare event that the request is tampered with, the CA will usually contact you by phone.

    If you choose to email the request, the server composes an email message containing the request and sends the message to the CA. Typically, the certificate is then returned to you via email. If instead you specified a URL to a certificate server, your server uses the URL to submit the request to the Certificate Server. You might get a response via email or other means depending on the CA.

    The CA will notify you if it agrees to issue you a certificate. In most cases, the CA will send your certificate via email. If your organization is using a certificate server, you may be able to search for the certificate by using the certificate server’s forms.


    Note –

    Not all requests for a certificate from a commercial CA are granted. Many CAs require proof of identity before issuing a certificate. Also, it can take anywhere from one day to two months to get approval. You are responsible for promptly providing all the necessary information to the CA.


    Once you receive the certificate, you can install it. In the meantime, you can still use your server without SSL.

Installing Other Server Certificates

When your certificate is returned from the CA, it is encrypted with your public key so that only you can decrypt it. You can decrypt your certificate and install it by entering the correct password for your trust database.

There are three types of certificates:

A certificate chain is a hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a certificate authority (CA) and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA, up to a root CA.


Note –

If your CA does not automatically send you their certificate, request them to send it. Many CAs include their certificate in the email with your certificate, and your server installs both certificates at the same time.

When you receive a certificate from the CA, it is encrypted with your public key so that only you can decrypt it. The server will use the key-pair file password you specify to decrypt the certificate when you install it. You can either save the email somewhere accessible to the server, or copy the text of the email and be ready to paste the text into the Install Certificate form, as described here.


Installing a Certificate

To install a certificate, perform the following steps:

ProcedureTo install a certificate

  1. Access either the Administration Server or the Server Manager and choose the Security tab.

    From the Server Manager you must first select the server instance from the drop-down list.

  2. Click the Install Certificate link.

  3. Check the type of certificate you are installing:

    • This Server is for a single certificate associated only with your server.

      • Server Certificate Chain is for a CA’s certificate to include in a certificate chain.

      • Trusted Certificate Authority (CA) is for a certificate of a CA that you want to accept as a trusted CA for client authentication.

  4. Select the Cryptographic Module from the drop-down list.

  5. Enter the Key-Pair File Password.

  6. Leave the certificate name field blank if it will be the only one used for this server instance, unless the following conditions are satisfied:

    • Multiple certificates will be used for virtual servers

      Enter a certificate name unique within the server instance

      • Cryptographic modules other than internal are used

        Enter a certificate name that is unique across all server instances within a single cryptographic module

        If a name is entered, it is displayed in the Manage Certificates list, and should be descriptive. For example, “United States Postal Service CA” is the name of a CA, and “VeriSign Class 2 Primary CA” describes both a CA and the type of certificate. When no certificate name is entered, the default value is applied.

  7. Select either:

    • Message is in this file and enter the full pathname to the saved email

    • Message text (with headers) and paste the email text

      If you copy and paste the text, make sure you include the headers “Begin Certificate” and “End Certificate”—including the beginning and ending hyphens.

  8. Click OK.

  9. Select either:

    • Add Certificate if you are installing a new certificate.

    • Replace Certificate if you are installing a certificate renewal.

  10. For the Server Manager, click Apply, and then Restart for changes to take effect.

    The certificate is stored in the server’s certificate database. The filename will be <alias>-cert8.db. For example:

    https-serverid-hostname-cert8.db