An SSL implementation for Calendar Server requires a certificate database. The certificate database must define a Certificate Authority (CA) and certificates for Calendar Server. This section contains conceptual and task information:
Before you create the certificate database, familiarize yourself with the following:
Mozilla Tools — This release includes the following Mozilla tools:
Certificate Database Tool (certutil) to create and manage the certificate database. For information, refer to the following Web site:
http://mozilla.org/projects/security/pki/ nss/tools/certutil.html
Familiarize yourself with the tool syntax before attempting to generate your certificate database.
Security Module Database Tool (modutil) to display information about available security modules. For information, refer to the following Web site:
http://mozilla.org/projects/security/pki/ nss/tools/modutil.html
These utilities are available in the following directory:
/opt/SUNWics5/cal/lib
or download the most recent version from the Web site.
Library Path Variable — Before you use the Mozilla tools, set your LD_LIBRARY_PATH variable appropriately. For example:
setenv LD_LIBRARY_PATH /opt/SUNWics5/cal/lib
Example Files and Directories — The examples in this chapter use these files and directories:
alias is a directory that contains the certificate database. Create the alias directory in the following directory:
/var/opt/SUNWics5
Also, make sure you backup the alias directory regularly.
sslPasswordFile is a text file that contains the certificate database password. This file is used by the certutil utility but not by Calendar Server. Create sslPasswordFile in the following directory:
/etc/opt/SUNWics5/config
/etc/passwd introduces entropy for random number generation, that is, this directory is used to generate varied and unique seeds that help ensure truly random results from the random number generator.
Log in as or become superuser (root).
Specify the certificate database password for certutil in /etc/opt/SUNWics5/config/sslPasswordFile. For example:
# echo "password" /etc/opt/SUNWics5/config/sslPasswordFile |
where password is your specific password.
Create the certificate database alias directory. For example:
# cd /var/opt/SUNWics5 # mkdir alias |
Move to the bin directory and generate the certificate database (cert8.db) and key database (key3.db). For example:
# cd /opt/SUNWics5/cal/bin # ./certutil -N -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile |
For this and other times when you must run the certutil utility, follow the examples exactly, or consult the certutil help page to understand the syntax.
For example, in this case, do not run the utility with the -N option without also specifying the -d /file information.
Generate a default self-signed root Certificate Authority certificate. For example:
# ./certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu" -s "CN=My Sample Root CA, O=sesta.com" -m 25000 -o /var/opt/SUNWics5/alias/SampleRootCA.crt -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile -z /etc/passwd |
Generate a certificate for the host. For example:
# ./certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u" -s "CN=hostname.sesta.com, O=sesta.com" -m 25001 -o /var/opt/SUNWics5/alias/SampleSSLServer.crt -d /var/opt/SUNWics5/alias -f /etc/opt/SUNWics5/config/sslPasswordFile -z /etc/passwd |
where hostname.sesta.com is the server host name.
Validate the certificates. For example:
# ./certutil -V -u V -n SampleRootCA -d /var/opt/SUNWics5/alias # ./certutil -V -u V -n SampleSSLServerCert -d /var/opt/SUNWics5/alias |
List the certificates. For example:
# ./certutil -L -d /var/opt/SUNWics5/alias # ./certutil -L -n SampleSSLServerCert -d /var/opt/SUNWics5/alias |
Use modutil to list the available security modules (secmod.db). For example:
# ./modutil -list -dbdir /var/opt/SUNWics5/alias |
Change the owner of the alias file to icsuser and icsgroup (or the user and group identity under which Calendar Server will run). For example:
# find /var/opt/SUNWics5/alias -exec chown icsuser {}; # find /var/opt/SUNWics5/alias -exec chgrp icsgroup {}; |