Migrating Certificates When You Upgrade

If you are migrating from the iPlanet Web Server 4.1 or 6.0, all your files, including your trust and certificate databases, are updated automatically.

Key-pair files and certificates are migrated only the security features on your server is enabled. You can also migrate keys and certificates by themselves using the Security tabs on the Administration Server page and the Server Manager page.

In previous versions, the certificate and key-pair file was referred to by an alias which could be used by multiple server instances. The Administration Server managed all the aliases and their constituent certificates. In the Sun Java System Web Server 6.1, the Administration Server and each server instance have their own certificate and key-pair files, referred to as the trust database instead of an alias.

You manage the trust database and its constituent certificates, including the server certificate and other included Certificate Authorities, from the Administration Server for its self, and from the Server Manager for server instances. The certificate and key-pair database files are now named after the server instance that uses them.In the previous version, if multiple server instances shared the same alias, when migrated the certificate and key-pair file are renamed for the new server instance.

The entire trust database associated with the server instance is migrated. All the Certificate Authorities listed in your previous database are migrated to the Sun Java System Web Server 6.1 database. If duplicate CAs occur, use the previous CA until it expires.

Do not attempt to delete duplicate CAs.

Using the Built-in Root Certificate Module

The dynamically loadable root certificate module included with the Sun Java System Web Server 6.1 contains the root certificates for many CAs, including VeriSign. The root certificate module enables you to upgrade your root certificates in a much easier way than before. In the past, you were required to delete the old root certificates one at a time, then install the new ones one at a time. To install well-known CA certificates, you can now simply update the root certificate module file to a newer version as it becomes available through future versions of the Sun Java System Web Server, or in Service Packs.

Because the root certificate is implemented as a PKCS#11 cryptographic module, you can not delete the root certificates it contains, so the option to delete is not available when managing these certificates. To remove the root certificates from your server instances, you can disable the root certificate module by deleting the following entries in the server’s alias file:

• libnssckbi.so (on most UNIX platforms)

• libnssckbi.sl (on HP-UX)

• nssckbi.dll (on Windows)

If you later wish to restore the root certificate module, you can copy the extension from bin/https/lib (UNIX and HP) or bin\https\bin (Windows) back into the alias subdirectory.

You can modify the trust information of the root certificates. The trust information is written to the certificate database for the server instance being edited, not back to the root certificate module itself.