Creating Credentials
The Root CA creates and stores credentials for web sites on the Root CA machine. The certificate can then optionally be signed by another CA, such as VeriSign. When the credentials are ready, they are installed on the Sun WebServer machine for use by the web site.
Note -
"Credentials" in this document refers to a key package public and private encryption keys and an associated certificate.
To Create Credentials for a Web Site
-
Determine the distinguished name entry for the web site, using the Fully Qualified Domain Name (FQDN) as the common name (cn).
For details on the distinguished name in certificates, see "Root CA User ".
-
Login to the Root CA machine as the Root CA user.
-
Create a directory where you can store the credentials you are about to create.
rootca % mkdir /var/SSL_CERTS/121.122.123.12/
-
Run /usr/http/bin/setup_creds with the appropriate options.
Valid options are:
- -d output_directory
-
Specifies the directory where credentials should be stored; for example, /var/SSL_CERTS/121.122.123.12/.
- -f trusted_file
-
(Not required; used to add certificates for other trusted CAs at setup time.) Specifies the full pathname to the file containing the Root CA certificate, for example, /export/skirca2/certs/skirca2.CERT.
- -i IP_Address
-
Specifies the IP Address of the web site for which credentials are being created.
- -r rootca
-
(Optional) Specifies the name of the Root CA user (the user name you have used to run the script). If -r is omitted,
setup_credswill ask for the user name of the Root CA user on this system.
# /usr/http/bin/setup_creds -r rootca \ -d /var/SSL_CERTS/121.122.123.12/ -i 121.122.123.12
-
Enter the host name only as the name of the web site. You will be asked to enter the domain name next.
For example, if the web site is
www.V.com, enter www.
Enter host name on which you run httpd server: (Hit return to use localhost)www
-
Enter the domain name for of the web site.
Enter domain name for your server (for example, eng.sun.com)V.com
-
Enter the DN attributes for the web site, without the common name (cn).
Enter Distinguished Name Suffix for your server (eg: o=SUN, c=US) :o="Company V", st=California, c=US
-
Enter a new password for this web site's credentials.
Each key package has a password, which should be different from the password for the Root CA's credentials.
Please provide the password to encrypt your server's private key. You will need it when you install the certificates. Enter password: Reenter password: Using configuration file '/tmp/try/host_config skilogin: Enter your own key package password: -
The key package and certificate for the site will be generated and stored in the output directory you named.
The location of the certificate is output_directory/certs/IP_Address.cert. In this example, it would be /var/SSL_CERTS/121.122.123.12/certs/121.122.123.12.cert.
You will need the certificate if you reinstall this certificate over another one.
-
Repeat Steps 1 through 9 to generate credentials for additional web sites.
You now have a "self-signed" certificate. You can use this for SSL encryption if the connecting browser has your Root CA in its list of trusted CAs. This is useful within your organization where you can update browsers that need to use SSL (for example, if you protect the Sun WebServer Administration Console with SSL). Most clients on the Internet, however, will not know about your Root CA so you will want certificates signed by a third party for public SSL sites. Refer to "Requesting Signed Certificates " after you have installed the credentials on the Sun WebServer machine.
Continue with the procedure in "Enabling SSL on a Web Site ".
- © 2010, Oracle Corporation and/or its affiliates