Sun Java System Calendar Server 6.3 Administration Guide

ProcedureTo Create a Certificate Database

A certificate is required by the gateway to send its public keys to the clients. The certificate contains the gateway's public key, the Distinguished Name associated with the gateway's certificate, the serial number or issue date of the certificate, and the expiration date of the certificate. A certificate is issued by a certification authority (CA), which verifies the identity of the gateway. CA is an authority trusted by one or more users to issue and manage X.509 Public Key Certificates and CARLs or Certification Revocation List (CRL)s. CA is the basic building block of the Public Key Infrastructure (PKI). On the other hand, PKI is a set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

The CA inserts its name in every certificate and CRL it generates and digitally signs the certificate with its private key. Once you establish that they trust a CA (directly, or through a certification path), you can trust certificates issued by that CA. You can easily identify certificates issued by that CA by comparing its name. However, its public key can be used to ensure that the certificate is valid.

The CA performs four basic PKI functions:

Your server's certificate and key pair represent your server's identity. They are stored in a certificate database that can be either internal to the server or on an external, removable hardware card (smartcard). An SSL implementation for Calendar Server requires a certificate database. The certificate database must define a Certificate Authority (CA) and certificates for Calendar Server. This section contains conceptual and task information:

Before You Begin

Before you create the certificate database, familiarize yourself with the following:

  1. Log in as or become superuser (root).

  2. Specify the certificate database password in /etc/opt/SUNWics5/config/sslpassword.conf.

    For example:

    # echo "password file entry" 

    The format of password file entry in the sslpassword.conf file is as follows:

    Internal (Software) Token:password

    where password is your password.

    Note that the password entry in the sslpassword.conf file must use the format shown above, including the string, Internal (Software) Token:. However, the password entry used with the password file associated with the certutil -fpasswordfile command must use the following simple format:


  3. Create the certificate database directory. For example:

    # cd /var/opt/SUNWics5
     # mkdir alias
  4. Change to the bin directory and generate the certificate database (cert8.db) and key database (key3.db). For example:

    # cd /opt/SUNWics5/cal/bin
     # ./certutil -N -d /etc/opt/SUNWics5/config
                     -f /mypath/mypassworfile

    Note –

    For this and other times when you must run the certutil utility, follow the examples exactly, or consult the certutil help page to understand the syntax.

    For example, in this case, do not run the utility with the -N option without also specifying the -d /file information.

  5. Generate a default self-signed root Certificate Authority certificate. For example:

    # ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
     -s "CN=My Sample Root CA," -m 25000
     -o /etc/opt/SUNWics5/config/SampleRootCA.crt
     -d /etc/opt/SUNWics5/config
     -f /mypath/mypassworfile -z
  6. Generate a certificate for the host. For example:

    # ./certutil -S -n SampleSSLServerCert -c SampleRootCA 
     -t "u,u,u"
     -s "," -m 25001
     -o /etc/opt/SUNWics5/config/SampleSSLServer.crt
     -d /etc/opt/SUNWics5/config 
     -f /mypath/mypassworfile
     -z /etc/passwd

    where is the server host name.

  7. Validate the certificates. For example:

    # ./certutil -V -u V -n SampleRootCA  
        -d /etc/opt/SUNWics5/config
     # ./certutil -V -u V -n SampleSSLServerCert 
       -d /etc/opt/SUNWics5/config
  8. List the certificates. For example:

    # ./certutil -L -d /etc/opt/SUNWics5/config
     # ./certutil -L -n SampleSSLServerCert 
       -d /etc/opt/SUNWics5/config
  9. Use modutil to list the available security modules (secmod.db). For example:

    # ./modutil -list -dbdir /etc/opt/SUNWics5/config
  10. Change the owner of the alias file to icsuser and icsgroup (or the user and group identity under which Calendar Server will run). For example:

    # find /etc/opt/SUNWics5/config -exec chown icsuser {};
     # find /etc/opt/SUNWics5/config -exec chgrp icsgroup {};