To Create a Certificate Database (Sun Java System Calendar Server 6 2005Q4 Administration Guide)

Sun Java System Calendar Server 6 2005Q4 Administration Guide

To Create a Certificate Database

An SSL implementation for Calendar Server requires a certificate database. The certificate database must define a Certificate Authority (CA) and certificates for Calendar Server. This section contains conceptual and task information:

Before You Begin

Before you create the certificate database, familiarize yourself with the following:

Mozilla Tools — This release includes the following Mozilla tools:
- Certificate Database Tool (certutil) to create and manage the certificate database. For information, refer to the following Web site:
```
http://mozilla.org/projects/security/pki/
        nss/tools/certutil.html
```
  Tip –
  Familiarize yourself with the tool syntax before attempting to generate your certificate database.
- Security Module Database Tool (modutil) to display information about available security modules. For information, refer to the following Web site:
```
http://mozilla.org/projects/security/pki/
        nss/tools/modutil.html
```
  These utilities are available in the following directory:
```
/opt/SUNWics5/cal/lib
```
  or download the most recent version from the Web site.
Library Path Variable — Before you use the Mozilla tools, set your LD_LIBRARY_PATH variable appropriately. For example:
```
setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib
```
Example Files and Directories — The examples in this chapter use these files and directories:
- alias is a directory that contains the certificate database. Create the alias directory in the following directory:
```
/var/opt/SUNWics5
```
  Also, make sure you backup the alias directory regularly.
- sslPasswordFile is a text file that contains the certificate database password. This file is used by the certutil utility but not by Calendar Server. Create sslPasswordFile in the following directory:
```
/etc/opt/SUNWics5/config
```
- /etc/passwd introduces entropy for random number generation, that is, this directory is used to generate varied and unique seeds that help ensure truly random results from the random number generator.

Specify the certificate database password for certutil in /etc/opt/SUNWics5/config/sslPasswordFile. For example:
# echo "password" /etc/opt/SUNWics5/config/sslPasswordFile
where password is your specific password.

Create the certificate database alias directory. For example:
# cd /var/opt/SUNWics5 # mkdir alias

Move to the bin directory and generate the certificate database (cert8.db) and key database (key3.db). For example:
# cd /opt/SUNWics5/cal/bin # ./certutil -N -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile
Note –
For this and other times when you must run the certutil utility, follow the examples exactly, or consult the certutil help page to understand the syntax.

For example, in this case, do not run the utility with the -N option without also specifying the -d /file information.

Generate a default self-signed root Certificate Authority certificate. For example:

# ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
 -s "CN=My Sample Root CA, O=sesta.com" -m 25000
 -o /var/opt/SUNWics5/alias/SampleRootCA.crt
 -d /var/opt/SUNWics5/alias
 -f /etc/opt/SUNWics5/config/sslPasswordFile -z
 /etc/passwd

Generate a certificate for the host. For example:

# ./certutil -S -n SampleSSLServerCert -c SampleRootCA 
 -t "u,u,u"
 -s "CN=hostname.sesta.com, O=sesta.com" -m 25001
 -o /var/opt/SUNWics5/alias/SampleSSLServer.crt
 -d /var/opt/SUNWics5/alias 
 -f /etc/opt/SUNWics5/config/sslPasswordFile
 -z /etc/passwd

where hostname.sesta.com is the server host name.

Validate the certificates. For example:

# ./certutil -V -u V -n SampleRootCA  
    -d /var/opt/SUNWics5/alias
 # ./certutil -V -u V -n SampleSSLServerCert 
   -d /var/opt/SUNWics5/alias

List the certificates. For example:

# ./certutil -L -d /var/opt/SUNWics5/alias
 # ./certutil -L -n SampleSSLServerCert 
   -d /var/opt/SUNWics5/alias

Use modutil to list the available security modules (secmod.db). For example:
# ./modutil -list -dbdir /var/opt/SUNWics5/alias

Change the owner of the alias file to icsuser and icsgroup (or the user and group identity under which Calendar Server will run). For example:
# find /var/opt/SUNWics5/alias -exec chown icsuser {}; # find /var/opt/SUNWics5/alias -exec chgrp icsgroup {};