Root CA Configuration

The Root Certificate Authority (CA) is required to create key packages and certificates for web sites on your network. See "SSL Requirements Overview " if you are unfamiliar with the role of the Root CA user and Root CA machine.

You need to configure the Root CA machine, and then create the Root CA that can create credentials for web sites.

To Configure the Root CA Machine

1. Make sure that the correct packages for generating credentials are installed on the machine:

   SUNWhttp

   Contains tools and scripts for running the Root CA.

   SUNWfns

   Up-to-date Federated Naming Service files.

   SUNWski

   SKI library.

   SUNWskica

   Encryption software for generating key packages and certificates.

   SUNWskicw

   Licensing software for the Root CA.

   SUNWskimc

   SKI 1.0 Software (CA Manual Page Package)

   SUNWskimu

   SKI 1.0 Software (CA User Manual Page Package)

   SUNWssl

   SSL 1.0 Software (Global Version Library)

   SUNWskild

   SKI 1.0 Software Package (US and Canada Library)

   SUNWssld

   SSL 1.0 Software (US and Canada Library)

   These packages are installed during Sun WebServer installation if you choose to install SSL.

2. Sun WebServer installation will start the processes required for generating security keys and certificates. Make sure that the following processes are running:

   • /usr/lib/security/skiserv

   • /usr/lib/security/cryptorand

3. Select or create a user to be the Root CA user.

   ---

   Note -

   This document will refer to this user as rootca, but you may choose any UNIX user name from /etc/passwd.

   ---

4. Create a directory owned by rootca where you can store credentials.

   This directory should not be readable by others. For example:

   # mkdir /var/SSL_CERTS# chmod 700 /var/SSL_CERTS# chown rootca /var/SSL_CERTS

To Create the Root CA

1. Determine the distinguished name (DN) entry for the root CA.

   For details see "Root CA User ". An example DN is cn=rootca, o=A.net, st=California, c=US.

2. Log in to the Root CA machine as the Root CA user.

3. Run create_rootca

   If create_rootca is not available in /usr/bin, you have not installed the SUNWski package on this machine.

4. Enter the DN for the Root CA.

   Enter Distinguished Name (e.g. "o=SUN, c=US") or q[uit]: cn=rootca, o=A.net, st=California, c=US

5. Enter the directory name where credentials will be stored.

   Enter directory pathname under which the key package and certificate will be stored, or q[uit]. Directory name ? /var/SSL_CERTS

   The script will generate public and private encryption keys for the Root CA. All key packages are protected by a password to prevent unauthorized use.

6. Enter a password for the Root CA key package.

   keypkg: Enter your NEW key package password: keypkg: Reenter your NEW key package password:

7. You have the option of making the key packages available in the naming service. To store the key package in the naming service, you will need the machine's root password.

   Key packages are always stored in files. Making the key package available in the naming service allows other security tools to locate the keys without the full path name.

   The Root CA is now configured. The next step is for the Root CA to generate a key package and certificate for a web site.

   Continue with the next configuration procedure, "Creating Credentials".

8. If you don't choose this option, save the credentials in FNS, and then store the credentials manually:

   # skistore -d dirname

   where dirname is as specified in step 5.