Sun Java System Calendar Server 6 2005Q4 Administration Guide

ProcedureTo Create a Certificate Database

An SSL implementation for Calendar Server requires a certificate database. The certificate database must define a Certificate Authority (CA) and certificates for Calendar Server. This section contains conceptual and task information:

Before You Begin

Before you create the certificate database, familiarize yourself with the following:

  1. Log in as or become superuser (root).

  2. Specify the certificate database password for certutil in /etc/opt/SUNWics5/config/sslPasswordFile. For example:

    # echo "password" 

    where password is your specific password.

  3. Create the certificate database alias directory. For example:

    # cd /var/opt/SUNWics5
     # mkdir alias
  4. Move to the bin directory and generate the certificate database (cert8.db) and key database (key3.db). For example:

    # cd /opt/SUNWics5/cal/bin
     # ./certutil -N -d /var/opt/SUNWics5/alias
                     -f /etc/opt/SUNWics5/config/sslPasswordFile

    Note –

    For this and other times when you must run the certutil utility, follow the examples exactly, or consult the certutil help page to understand the syntax.

    For example, in this case, do not run the utility with the -N option without also specifying the -d /file information.

  5. Generate a default self-signed root Certificate Authority certificate. For example:

    # ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu"
     -s "CN=My Sample Root CA," -m 25000
     -o /var/opt/SUNWics5/alias/SampleRootCA.crt
     -d /var/opt/SUNWics5/alias
     -f /etc/opt/SUNWics5/config/sslPasswordFile -z
  6. Generate a certificate for the host. For example:

    # ./certutil -S -n SampleSSLServerCert -c SampleRootCA 
     -t "u,u,u"
     -s "," -m 25001
     -o /var/opt/SUNWics5/alias/SampleSSLServer.crt
     -d /var/opt/SUNWics5/alias 
     -f /etc/opt/SUNWics5/config/sslPasswordFile
     -z /etc/passwd

    where is the server host name.

  7. Validate the certificates. For example:

    # ./certutil -V -u V -n SampleRootCA  
        -d /var/opt/SUNWics5/alias
     # ./certutil -V -u V -n SampleSSLServerCert 
       -d /var/opt/SUNWics5/alias
  8. List the certificates. For example:

    # ./certutil -L -d /var/opt/SUNWics5/alias
     # ./certutil -L -n SampleSSLServerCert 
       -d /var/opt/SUNWics5/alias
  9. Use modutil to list the available security modules (secmod.db). For example:

    # ./modutil -list -dbdir /var/opt/SUNWics5/alias
  10. Change the owner of the alias file to icsuser and icsgroup (or the user and group identity under which Calendar Server will run). For example:

    # find /var/opt/SUNWics5/alias -exec chown icsuser {};
     # find /var/opt/SUNWics5/alias -exec chgrp icsgroup {};