Sun Java System Web Proxy Server 4.0.9 Administration Guide

Requesting and Installing Other Server Certificates

In addition to VeriSign, you can also request and install certificates from other Certificate Authorities. Your company or organization might provide its own internal certificates. This section describes how to request and install other types of server certificates.

This section contains the following topics:

Required CA Information

Before you start the request process, make sure you know what information your CA requires. The format of the requested information varies by CA, but you might typically be asked to provide the information listed below. Most of this information is usually not required for certificate renewals.

All information is combined as a series of attribute-value pairs called the distinguished name (DN), which uniquely identifies the subject of the certificate.

If you are purchasing your certificate from a commercial CA, you must contact the CA to find out what additional information they require before they issue a certificate. Most CAs require that you prove your identity. For example, they want to verify your company name and who is authorized by the company to administer the server, they also might ask whether you have the legal right to use the information you provide.

Some commercial CAs offer certificates with greater detail and veracity to organizations or individuals who provide more thorough identification. For example, you might be able to purchase a certificate stating that the CA has verified that you are the rightful administrator of the computer, and also that you are a company that has been in business for three years, and have no outstanding customer litigation.

Requesting Other Server Certificates

ProcedureTo Request Other Server Certificates

  1. Access either the Administration Server or the Server Manager and click the Security tab.

  2. Click the Request Certificate link.

  3. Specify whether this is a new certificate or a certificate renewal.

    Many certificates expire after a set period of time, such as six months or a year. Some CAs will automatically send you a renewal.

  4. Specify how you want to submit the request for the certificate:

    • To submit the request using email, select CA Email Address and enter the appropriate email address for such requests.

      • To submit the request using the CA’s web site, select CA URL and type the appropriate URL for such requests.

  5. From the Cryptographic Module drop-down list, select the cryptographic module to be used for the key-pair file when requesting the certificate.

  6. Type the password for your key-pair file.

    This password is specified when you created the trust database, unless a cryptographic module other than Internal is selected. The server uses the password to obtain your private key and encrypt a message to the CA. The server then sends both your public key and the encrypted message to the CA. The CA uses the public key to decrypt your message.

  7. Provide your identification information, such as name and phone number.

    The format of this information varies by CA. Most of this information is usually not required for certificate renewals.

  8. Double-check your work to ensure accuracy, and then click OK.

    The more accurate the information, the faster your certificate is likely to be approved. If your request is going to a certificate server, you will be prompted to verify the form information before the request is submitted.

    The server generates a certificate request that contains your information. The request has a digital signature created with your private key. The CA uses a digital signature to verify that the request was not tampered with during routing from your server computer to the CA. In the rare event that the request is tampered with, the CA usually contacts you by phone.

    If you chose to email the request, the server sends an email message containing the request to the CA. Typically, the certificate is then emailed to you. If you specified a URL to a certificate server, your server uses the URL to submit the request to the certificate server. You might get an email response or a response by some other means, depending on the CA.

    The CA notifies you if it agrees to issue you a certificate. In most cases, the CA sends your certificate using e-mail. If your organization is using a certificate server, you may be able to search for the certificate using the certificate server’s forms.

    Note –

    Not everyone who requests a certificate from a commercial CA is given one. Many CAs require you to prove your identity before issuing a certificate. Also, approval often can take anywhere from one day to several weeks. You are responsible for promptly providing all necessary information to the CA.

    Install the certificate once you receive it. In the meantime, you can still use your Proxy Server without SSL.

Installing Other Server Certificates

Your certificate from the CA is encrypted with your public key so that only you can decrypt it. Only by entering the correct password for your trust database can you decrypt and install your certificate.

The three types of certificates are:

A certificate chain is a hierarchical series of certificates signed by successive Certificate Authorities. A CA certificate identifies a Certificate Authority and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA, and so on, up to a root CA.

Note –

If your CA does not automatically send you its certificate, request it. Many CAs include their certificate in the email with your certificate, and both certificates are installed by your server at the same time.

Your certificate from the CA is encrypted with your public key so that only you can decrypt it. The Proxy Server uses the key-pair file password you specify to decrypt the certificate when it is installed. You can either save the email somewhere accessible to the server, or copy the text of the email and be ready to paste the text into the Install Certificate form, as described in the following procedure.

ProcedureTo Install Other Server Certificates

  1. Access either the Administration Server or the Server Manager and click the Security tab.

  2. Click the Install Certificate link.

  3. Next to Certificate For, select the type of certificate to install:

    • This Server

      • Server Certificate Chain

      • Certification Authority

        For more information about specific settings, see the online Help.

  4. Select the cryptographic module from the drop-down list.

  5. Type the key-pair file password.

  6. Type a certificate name only if you selected Server Certificate Chain or Certification Authority in Step 3.

  7. Provide certificate information by doing one of the following:

    • Select Message Is In This File and then type the full path name to the file that contains the CA certificate.

      • Select Message Text (with headers) and then copy and paste the content of the CA certificate. Be sure to include the Begin Certificate and End Certificate headers, including the beginning and ending hyphens.

  8. Click OK.

  9. Indicate whether you are adding a new certificate or renewing an existing certificate.

    • Add Certificate if you are installing a new certificate.

      • Replace Certificate if you are installing a certificate renewal.

        The certificate is stored in the server’s certificate database. For example:
