test

Sun WebServer 2.1 Installation Guide

Root CA Configuration

The Root Certificate Authority (CA) is required to create key packages and certificates for web sites on your network. See "SSL Requirements Overview " if you are unfamiliar with the role of the Root CA user and Root CA machine.

You need to configure the Root CA machine, and then create the Root CA that can create credentials for web sites.

To Configure the Root CA Machine

  1. Make sure that the correct packages for generating credentials are installed on the machine:

    SUNWhttp

    Contains tools and scripts for running the Root CA.

    SUNWfns

    Up-to-date Federated Naming Service files.

    SUNWski

    SKI library.

    SUNWskica

    Encryption software for generating key packages and certificates.

    SUNWskicw

    Licensing software for the Root CA.

    SUNWskimc

    SKI 1.0 Software (CA Manual Page Package)

    SUNWskimu

    SKI 1.0 Software (CA User Manual Page Package)

    SUNWssl

    SSL 1.0 Software (Global Version Library)

    SUNWskild

    SKI 1.0 Software Package (US and Canada Library)

    SUNWssld

    SSL 1.0 Software (US and Canada Library)

    These packages are installed during Sun WebServer installation if you choose to install SSL.

  2. Sun WebServer installation will start the processes required for generating security keys and certificates. Make sure that the following processes are running:

    • /usr/lib/security/skiserv

    • /usr/lib/security/cryptorand

  3. Select or create a user to be the Root CA user.

    Note -

    This document will refer to this user as rootca, but you may choose any UNIX user name from /etc/passwd.

  4. Create a directory owned by rootca where you can store credentials.

    This directory should not be readable by others. For example: 


    # mkdir /var/SSL_CERTS# chmod 700 /var/SSL_CERTS# chown rootca /var/SSL_CERTS
To Create the Root CA

  1. Determine the distinguished name (DN) entry for the root CA.

    For details see "Root CA User ". An example DN is cn=rootca, o=A.net, st=California, c=US.

  2. Log in to the Root CA machine as the Root CA user.

  3. Run crca.

    If crca is not available in /usr/bin, you have not installed the SUNWski package on this machine.

    Note -

    The SSL script create_rootca has been renamed to crca.

  4. Enter the DN for the Root CA. 


    Enter Distinguished Name (e.g. "o=SUN, c=US")
or q[uit]: cn=rootca, o=A.net, st=California, c=US

  5. Enter the directory name where credentials will be stored. 


    Enter directory pathname under which the key package and
certificate will be stored, or q[uit].

Directory name ? /var/SSL_CERTS

    The script will generate public and private encryption keys for the Root CA. All key packages are protected by a password to prevent unauthorized use.

  6. Enter a password for the Root CA key package. 


    keypkg: Enter your NEW key package password: 
keypkg: Reenter your NEW key package password: