The Root Certificate Authority (CA) is required to create key packages and certificates for web sites on your network. See "SSL Requirements Overview " if you are unfamiliar with the role of the Root CA user and Root CA machine.
You need to configure the Root CA machine, and then create the Root CA that can create credentials for web sites.
Make sure that the correct packages for generating credentials are installed on the machine:
Contains tools and scripts for running the Root CA.
Up-to-date Federated Naming Service files.
SKI library.
Encryption software for generating key packages and certificates.
Licensing software for the Root CA.
SKI 1.0 Software (CA Manual Page Package)
SKI 1.0 Software (CA User Manual Page Package)
SUNWssl
SSL 1.0 Software (Global Version Library)
SKI 1.0 Software Package (US and Canada Library)
SSL 1.0 Software (US and Canada Library)
These packages are installed during Sun WebServer installation if you choose to install SSL.
Sun WebServer installation will start the processes required for generating security keys and certificates. Make sure that the following processes are running:
/usr/lib/security/skiserv
/usr/lib/security/cryptorand
Select or create a user to be the Root CA user.
This document will refer to this user as rootca
, but you may choose any UNIX user name from /etc/passwd.
Create a directory owned by rootca where you can store credentials.
This directory should not be readable by others. For example:
# mkdir /var/SSL_CERTS# chmod 700 /var/SSL_CERTS# chown rootca /var/SSL_CERTS |
Determine the distinguished name (DN) entry for the root CA.
For details see "Root CA User ". An example DN is cn=rootca, o=A.net, st=California, c=US
.
Log in to the Root CA machine as the Root CA user.
Run crca.
If crca is not available in /usr/bin, you have not installed the SUNWski
package on this machine.
The SSL script create_rootca has been renamed to crca.
Enter the DN for the Root CA.
Enter Distinguished Name (e.g. "o=SUN, c=US") or q[uit]: cn=rootca, o=A.net, st=California, c=US |
Enter the directory name where credentials will be stored.
Enter directory pathname under which the key package and certificate will be stored, or q[uit]. Directory name ? /var/SSL_CERTS |
The script will generate public and private encryption keys for the Root CA. All key packages are protected by a password to prevent unauthorized use.
Enter a password for the Root CA key package.
keypkg: Enter your NEW key package password: keypkg: Reenter your NEW key package password: |