test

Sun WebServer Installation Guide

Requesting Signed Certificates

Having a web site's certificate signed by an independent CA is the equivalent of having an independent auditor vouch for the site's identity. Clients may not believe that a secure site is what it claims to be unless its credentials are "digitally signed" by a CA that the client trusts.

Sun WebServer currently only supports VeriSign as a third party CA. You can use the tools that come with Sun WebServer to send a certificate and a certificate signing request (CSR) to VeriSign via their public web site.

To Request a Signed Web Site Certificate

  1. Your local Root CA must generate credentials and store them on the Sun WebServer machine.

    Refer to "Creating Credentials" and "Enabling SSL on a Web Site ".

  2. Log in to the Sun WebServer machine as super-user (root).

  3. Run the send_request utility to generate a certificate that can be sent to a CA.

    On the command line, you must specify the IP address of the site whose certificate you want signed. The portable certificate will be stored in a file in /tmp, unless you use -o to specify a different directory (the directory must already exist). 


    # mkdir /var/SSL_CERTS/requests
# /usr/http/bin/send_request -o /var/SSL_CERTS/requests \
121.122.123.12

  4. Enter the key package password for the web site.

    This is not the Root CA's key package password. This is the password you created when you ran setup_creds.

  5. The certificate signing request will be stored in the directory you named or /tmp, in a file named cert.request.

    The contents of this file can be sent to VeriSign through their web site.

  6. You will need to follow the CA's procedures for requesting a signed certificate. At some point, you will need to supply the generated certificate file to the CA.

    To request a VeriSign certificate, visit http://www.verisign.com/idcenter/new/. You will need to request a server certificate for server software from Sun Microsystems.

  7. When the CA sends the signed certificate, save it in a file.

    For example, save the reply in /tmp/121.122.123.12.cert.

    Caution - Caution -

    Do not save the certificate from the CA in the directory the Root CA uses to store credentials.

  8. As root, run /usr/http/bin/install_external to make the signed certificate available for SSL.