test

i-Planet Administration Guide

SSL Certificates from Vendors

If you decide to enable SSL services between the i-Planet server and the i-Planet gateway after you have installed the i-Planet software, you must generate a self-signed certificate.

i-Planet software contains root certificates that can be used with SSL certificates from Verisign, Inc. If you decide to install an SSL certificate from a vendor other than Verisign, you must install a root certificate from that vendor first, and then install the web server certificate.

Certificates are stored in the rp.keystore file. Once you generate a certificate signing request (used to request a certificate from a third-party vendor), make sure you keep a backup copy of the rp.keystore file. This file contains your private key, which is associated with the certificate that you purchase; if you lose the file, you will not be able to use the certificate that you bought.

To Install SSL Certificates From Verisign

  1. As root, run the certadmin script on the i-Planet server:


    /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  2. Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR).

    • If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" earlier in this chapter.

    • If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:


      Is this information correct (y/n)? [n]

    1. Enter y if the information is correct, or enter n if it is not correct.

      • If you enter n, you are asked to enter information for a new self-signed certificate. See the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" in this chapter.

      • If you enter y, you are asked to enter some contact information for the webmaster of the machine for which the certificate is being generated:


        What is the name of the admin/webmaster for this server? []
What is the email address of the admin/webmaster for this server? []
What is the phone number of the admin/webmaster for this server? []

    2. Enter the name, the email address, and the telephone number of the administrator or webmaster for this server.

      The Certificate Administration script displays the values you enter and asks the question:


      Are these values correct (y/n)? [n]

    3. When prompted, enter y if the information is correct, or enter n if it is not correct.

      • If you enter y, the CSR is generated and added to the file /tmp/csr.hostname on the i-Planet server.

      • If you enter n, the Certificate Administration script asks you to enter the values again.

  3. Go to the Certificate Authority's website and order your web server certificate.

    1. Provide information from your CSR, as requested by the CA.

    2. Provide other information as requested by the CA, such as a passphrase.

    3. Specify your web server type as: Java Webserver.

      Specifying Java Webserver means that you want your certificate in privacy enhance mail (PEM) format.

  4. After you receive your certificate from the CA, save it in a file.

    The certificate begins with a line that reads:

 -----BEGIN
CERTIFICATE----

continues with the certificate itself, and ends with a line that reads:

-----END CERTIFICATE-----

Make sure you include both of these lines with the certificate in the file.

  1. As root, run the certadmin script on the i-Planet server.


    # /opt/SUNWsnrp/bin/certadmin

  2. Enter 4 on the Certificate Administration menu to install your certificate from the CA.

    The Certificate Administration script asks the question:


    What is the name (including path) of the file that contains the certificate? []

  3. Enter the full path to the file containing the certificate from the CA.

    Your certificate is stored in the file /etc/opt/SUNWstnr/rp.keystore on the i-Planet server.

  4. Enable SSL service on the i-Planet server.

    See the procedure "To Enable SSL Service on the i-Planet Server" in this chapter.

  5. Make a backup copy of the rp.keystore file on the i-Planet server.

  6. Enable SSL service on the i-Planet gateway.

    See the procedure "To Enable SSL Service on the i-Planet Gateway" in this chapter.

To Install SSL Root Certificates and SSL Certificates From Other Vendors

You must have already generated a self-signed certificate to install a root certificate. See the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" in this chapter.

  1. Go to the Certificate Authority's website and download its root certificate.

    The website should contain instructions for downloading the certificate.

  2. As root, run the certadmin script on the i-Planet server:


    /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  3. Enter 3 on the Certificate Administration menu to add a root certificate.

    The Certificate Administration script asks the question:


    What is the name (including path) of the file that contains the root certificate that you would like to add to your database? []

    1. Enter the full path to the file containing the root certificate from the CA.

      The file is displayed and the Certificate Administration script asks the question:


      Is this information correct (y/n)? [n]

    2. Enter y if the file is correct, or n if it is not.

      • If you enter y, the root certificate is stored in the etc/opt/SUNWstnr/rp.CAstore file and your prompt returns.

      • If you enter n, the root certificate is not added and your prompt returns.

  4. As root, run the certadmin script on the i-Planet server.


    # /opt/SUNWsnrp/bin/certadmin

  5. Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR).

    • If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" earlier in this chapter.

    • If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:


      Is this information correct (y/n)? [n]

    1. Enter y if the information is correct or enter n if it is not correct.

      • If you enter n, you are asked to enter information for a new self-signed certificate. Refer to the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" earlier in this chapter.

      • If you enter y, the Certificate Administration script asks you to enter specific information about your organization:


        What is the name of the admin/webmaster for this server? []
What is the email address of the admin/webmaster for this server? []
What is the phone number of the admin/webmaster for this server? []

    2. Enter your specific information about your organization.

      The Certificate Administration script displays the values you enter and asks the question:


      Are these values correct (y/n)? [n]

    3. Enter y if the information is correct or enter n if it is not correct.

      • If you enter y, a CSR is generated and stored in the file /tmp/csr.hostname.

      • If you enter n, the Certificate Administration script asks you to enter the values again.

  6. Go to the Certificate Authority's website and order your web server certificate.

    1. Provide information from your CSR, as requested by the CA.

    2. Provide other information as requested by the CA, such as a passphrase.

    3. Specify your web server type as: Java Webserver.

      Specifying Java Webserver means that you want your certificate in PEM format.

  7. After you receive your certificate from the CA, save it in a file.

    The certificate begins with a line that reads:

    -----BEGIN CERTIFICATE----

    continues with the certificate itself, and ends with a line that reads:

    -----END CERTIFICATE-----

    Make sure you include both of these lines with the certificate in the file.

  8. As root, run the certadmin script on the i-Planet server:


    /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  9. Enter 4 on the Certificate Administration menu to install your certificate from the CA.

    The Certificate Administration script asks the question:


    What is the name (including path) of the file that contains the certificate? []

  10. Enter the full path to the file containing the certificate from the CA.

    Your certificate is added to the /etc/opt/SUNWstnr/rp.keystore file on the i-Planet server.

  11. Enable SSL service on the i-Planet server.

    See the procedure "To Enable SSL Service on the i-Planet Server" in this chapter.

  12. Stop and restart the web server on the i-Planet server for the certificate to take effect.

    See the procedure "To Stop and Restart the Web Server on the i-Planet Server" in Chapter 3, Other Administrative Tasks.

  13. Make a backup copy of the rp.keystore file on the i-Planet server.

  14. Enable SSL service on the i-Planet gateway.

    See the procedure "To Enable SSL Service on the i-Planet Gateway" in this chapter.