Sun Java System Calendar Server 6.3 Administration Guide

ProcedureTo Request and Import a Certificate from a Root Certificate Authority

The following steps tell you how to generate a certificate request, submit it to the Public Key Infrastructure (PKI) Web site, and then import the certificate. These instruction assume you are placing the certificate database under the config directory.

Before You Begin

Both the certificate database and the password file must reside in the same directory. The default shown here is the config directory, but you can choose another directory, in which case, you must configure a different path parameter, as shown in the procedure that follows.

  1. Log in as or become superuser (root).

  2. Move to the bin directory:

    # cd /opt/SUNWics5/cal/bin

  3. Use certutil to generate a Certificate Request based on the Certificate Authority or Public Key Infrastructure (PKI) Web site. For example:

    # ./certutil -R -s ", 
    OU=hostname/ SSL Web Server, O=Sesta, 
    C=US" -p "408-555-1234" -o hostnameCert.req 
    -g 1024  -d /etc/opt/SUNWics5/config 
    -f /mypath/mypassworfile  -z /etc/passwd -a

    where “” is the host name.

  4. Request an test certificate for an SSL web server from the Certificate Authority or Public Key Infrastructure (PKI) Web site. Copy and paste the contents from the hostnameCert.req file into the Certificate Request.

    You will be notified by when your certificate is signed and can be picked up.

  5. Copy the Certificate Authority Certificate Chain and SSL server certificate into text files.

  6. Import the Certificate Authority Certificate Chain into the certificate database to establish a Chain of Authority. For example:

    # ./certutil -A -n "GTE CyberTrust Root"
        -t "TCu,TCu,TCuw" 
        -d /etc/opt/SUNWics5/config 
        -i /export/wspace/Certificates/CA_Certificate_1.txt
        -f /mypath/mypassworfile
    # ./certutil -A -n "Sesta TEST Root CA" 
        -t "TCu,TCu,TCuw" 
        -d /etc/opt/SUNWics5/config 
        -i /export/wspace/Certificates/CA_Certificate_2.txt
        -f /mypath/mypassworfile
  7. Import the signed SSL server certificate:

    # ./certutil -A -n "hostname SSL Server Test Cert"
        -t "u,u,u" -d /etc/opt/SUNWics5/config 
        -i /export/wspace/Certificates/SSL_Server_Certificate.txt
        -f /mypath/mypassworfile
  8. List the certificates in the certificate database:

    # ./certutil -L -d /etc/opt/SUNWics5/config

  9. Configure the SSL Server Nickname in the ics.conf file to be the signed SSL server certificate, For example: “hostname SSL Server Test Cert”.

    Note The host name for the service.http.calendarhostname and service.http.ssl.sourceurl parameters in the ics.conf file should match the host name on the SSL certificate (in case your system has several aliases). For example: