Sun Java System Web Server 6.1 SP11 Administrator's Guide

Using the Built-in Root Certificate Module

The dynamically loadable root certificate module included with the Sun Java System Web Server 6.1 contains the root certificates for many CAs, including VeriSign. The root certificate module enables you to upgrade your root certificates in a much easier way than before. In the past, you were required to delete the old root certificates one at a time, then install the new ones one at a time. To install well-known CA certificates, you can now simply update the root certificate module file to a newer version as it becomes available through future versions of the Sun Java System Web Server, or in Service Packs.

Because the root certificate is implemented as a PKCS#11 cryptographic module, you can not delete the root certificates it contains, so the option to delete is not available when managing these certificates. To remove the root certificates from your server instances, you can disable the root certificate module by deleting the following entries in the server’s alias file:

If you later wish to restore the root certificate module, you can copy the extension from bin/https/lib (UNIX and HP) or bin\https\bin (Windows) back into the alias subdirectory.

You can modify the trust information of the root certificates. The trust information is written to the certificate database for the server instance being edited, not back to the root certificate module itself.