test

i-Planet Installation Guide

SSL Certificates from Vendors

During i-Planet software installation, you created and installed a self-signed SSL certificate. At any point after installation, you have the option to install SSL certificates signed by vendors who provide official certificate authority (CA) services. A certificate from a CA vendor is necessary for the i-Planet server if you are using SSL between the i-Planet gateway and the i-Planet server.

i-Planet software contains root certificates that can be used with SSL certificates from Verisign, Inc. If you decide to install an SSL certificate from a vendor other than Verisign, you must install a root certificate from that vendor first, and then install the web server certificate.

Certificates are stored in the rp.keystore file. Once you generate a certificate signing request (used to request a certificate from a third-party vendor), make sure you keep a backup copy of the rp.keystore file. This file contains your private key, which is associated with the certificate that you purchase; if you lose the file, you will not be able to use the certificate that you bought.

To install SSL certificates from Verisign

  1. As root, run the certadmin script on the i-Planet gateway or server, as appropriate.


    # /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  2. Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR).

    • If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure, "To generate a self-signed certificate"earlier in this chapter.

    • If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:.


      Is this information correct (y/n)? [n]

    1. Enter y if the information is correct or enter n if it is not correct.

      • If you enter n, you are asked to enter information for a new self-signed certificate. Refer to the procedure, "To generate a self-signed certificate"earlier in this chapter.

      • If you enter y, the Certificate Administration script asks you to enter various organization-specific information:


        What is the name of the admin/webmaster for this server? []
What is the email address of the admin/webmaster for this server? []
What is the phone number of the admin/webmaster for this server? []

    2. Enter your organization-specific information.

      The Certificate Administration script displays the values you enter and asks the question:.


      Are these values correct (y/n)? [n]

    3. Enter y if the information is correct or enter n if it is not correct.

      • If you enter y, a CSR is generated and stored in the file /tmp/csr.hostname.

      • If you enter n, the Certificate Administration script asks you to enter the values again.

  3. Go to the Certificate Authority's website and order your web server certificate.

    1. Provide information from your CSR, as requested by the CA.

    2. Provide other information, as requested by the CA, such as a passphrase.

    3. Specify your web server type as: Java Webserver.

      Specifying Java Webserver means that you want your certificate in PEM format.

  4. After you receive your certificate from the CA, save it in a file.

    The certificate begins with a line that reads:

-----BEGIN CERTIFICATE----

continues with the certificate itself, and ends with a line that reads:

-----END CERTIFICATE-----

Make sure you include both of these lines with the certificate in the file.

  1. As root, run the certadmin script on the i-Planet gateway or server, as appropriate.


    # /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  2. Enter 4 on the Certificate Administration menu to install your certificate from the CA.

    The Certificate Administration script asks the question:.


    What is the name (including path) of the file that contains the certificate? []

  3. Enter the full path to the file containing the certificate.

    Your certificate is stored in the rp.keystore file and your prompt returns.

  4. Restart the i-Planet gateway or server, as appropriate, for the certificate to take effect.

    • To restart the i-Planet gateway:


      # /opt/SUNWsnrp/bin/iplanet_gw stop
# /opt/SUNWsnrp/bin/iplanet_gw start

    • To restart the i-Planet server:


      # /opt/SUNWjeev/bin/iplanet_serv stop
# /opt/SUNWjeev/bin/iplanet_serv start

  5. Make a backup copy of the rp.keystore file.

To install SSL root certificates and SSL certificates from other vendors

You must have already generated a self-signed certificate to install a root certificate.

  1. Go to the Certificate Authority's website and download its root certificate.

    The website should contain instructions for downloading the certificate, usually as a file.

  2. As root, run the certadmin script on the i-Planet gateway or server, as appropriate.


    # /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  3. Enter 3 on the Certificate Administration menu to add a root certificate.

    The Certificate Administration script asks the question:.


    What is the name (including path) of the file that contains the root certificate that you would like to add to your database? []

    1. Enter the full path to the file containing the root certificate.

      The file is displayed and the Certificate Administration script asks the question:.


      Is this information correct (y/n)? [n]

    2. Enter y if the file is correct, or n if it is not.

      • If you enter y, the root certificate is stored in the rp.CAstore file and your prompt returns.

      • If you enter n, the root certificate is not added and your prompt returns.

  4. As root, run the certadmin script on the i-Planet gateway or server, as appropriate.


    # /opt/SUNWsnrp/bin/certadmin

  5. Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR).

    • If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure, "To generate a self-signed certificate"earlier in this chapter.

    • If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:.


      Is this information correct (y/n)? [n]

    1. Enter y if the information is correct or enter n if it is not correct.

      • If you enter n, you are asked to enter information for a new self-signed certificate. Refer to the procedure, "To generate a self-signed certificate"earlier in this chapter.

      • If you enter y, the Certificate Administration script asks you to enter various organization-specific information:


        What is the name of the admin/webmaster for this server? []
What is the email address of the admin/webmaster for this server? []
What is the phone number of the admin/webmaster for this server? []

    2. Enter your organization-specific information.

      The Certificate Administration script displays the values you enter and asks the question:.


      Are these values correct (y/n)? [n]

    3. Enter y if the information is correct or enter n if it is not correct.

      • If you enter y, a CSR is generated and stored in the file /tmp/csr.hostname.

      • If you enter n, the Certificate Administration script asks you to enter the values again.

  6. Return to the Certificate Authority's website and order your web server certificate.

    1. Provide information from your CSR, as requested by the CA.

    2. Provide other information, as requested by the CA, such as a passphrase.

    3. Specify your web server type as: Java Webserver.

      Specifying Java Webserver means that you want your certificate in PEM format.

  7. After you receive your certificate from the CA, save it in a file.

    The certificate begins with a line that reads:

-----BEGIN CERTIFICATE----

continues with the certificate itself, and ends with a line that reads:

-----END CERTIFICATE-----

Make sure you include both of these lines with the certificate in the file.

  1. As root, run the certadmin script on the i-Planet gateway or server, as appropriate.


    # /opt/SUNWsnrp/bin/certadmin

    The Certificate Administration menu is displayed:


    1) Generate Self-Signed Certificate
2) Generate Certificate Signing Request (CSR)
3) Add Root CA Certificate
4) Install Certificate from Certificate Authority (CA)
5) Quit
choice: [5]

  2. Enter 4 on the Certificate Administration menu to install your certificate from the CA.

    The Certificate Administration script asks the question:.


    What is the name (including path) of the file that contains the certificate? []

  3. Enter the full path to the file containing the certificate.

    Your certificate is stored in the rp.keystore file and your prompt returns.

  4. Restart the i-Planet gateway or server, as appropriate, for the certificate to take effect.

    • To restart the i-Planet gateway:


      # /opt/SUNWsnrp/bin/iplanet_gw stop
# /opt/SUNWsnrp/bin/iplanet_gw start

    • To restart the i-Planet server:


      # /opt/SUNWjeev/bin/iplanet_serv stop
# /opt/SUNWjeev/bin/iplanet_serv start

  5. Make a backup copy of the rp.keystore file.