Sun WebServer 2.1 Installation Guide

Creating Credentials

The Root CA creates and stores credentials for web sites on the Root CA machine. The certificate can then optionally be signed by another CA, such as VeriSign. When the credentials are ready, they are installed on the Sun WebServer machine for use by the web site.

Note -

"Credentials" in this document refers to a key package public and private encryption keys and an associated certificate.

To Create Credentials for a Web Site

Determine the distinguished name entry for the web site, using the Fully Qualified Domain Name (FQDN) as the common name (cn).

For details on the distinguished name in certificates, see "Root CA User ".

Create a directory where you can store the credentials you are about to create.
rootca % mkdir /var/SSL_CERTS/121.122.123.12/

Run /usr/http/bin/sslgencrd with the appropriate options.

Note -
The SSL script setup_creds has been renamed to sslgencrd.

Valid options are:

-d output_directory

Specifies the directory where credentials should be stored; for example, /var/SSL_CERTS/121.122.123.12/.

-f trusted_file

(Not required; used to add certificates for other trusted CAs at setup time.) Specifies the full pathname to the file containing the Root CA certificate, for example, /export/skirca2/certs/skirca2.CERT.

-i IP_Address

Specifies the IP Address of the web site for which credentials are being created.

-r rootca

(Optional) Specifies the name of the Root CA user (the user name you have used to run the script). If -r is omitted, sslgencrd will ask for the user name of the Root CA user on this system.
# /usr/http/bin/sslgencrd -r rootca \ -d /var/SSL_CERTS/121.122.123.12/ -i 121.122.123.12

Enter the host name only as the name of the web site. You will be asked to enter the domain name next.

For example, if the web site is www.V.com, enter www.
Enter host name on which you run httpd server: (Hit return to use localhost)www

Enter the domain name of the web site.

Enter domain name for your server (for example, eng.sun.com)V.com

Enter the DN attributes for the web site, without the common name (cn).
Enter Distinguished Name Suffix for your server (eg: o=SUN, c=US) :o="Company V", st=California, c=US
The distinguished name must have the fields ou, o, l, st, and c in the DN suffix. For example,
ou=SUNIR, o=SUN, l=Palo Alto, st=California, c=US
Note -
The state (st) must be fully spelled out; a two-letter abbreviation cannot be used. The country must be the two-letter country code. If you don't use the correct DN, then VeriSign rejects the request. If this occurs, you must regenerate the credentials.

Enter a new password for this web site's credentials.

Each key package has a password, which can be different from the password for the Root CA's credentials.

Please provide the password to encrypt your server's private key.
You will need it when you install the certificates.
Enter password:
Reenter password:
         Using configuration file '/tmp/try/host_config

skilogin: Enter your own key package password:

The key package and certificate for the site will be generated and stored in the output directory you named.

The location of the certificate is output_directory/certs/IP_Address.cert. In this example, it would be /var/SSL_CERTS/121.122.123.12/certs/121.122.123.12.cert.

You will need the certificate directory later if you reinstall this certificate.

Repeat steps 1 through 9 to generate credentials for additional web sites.

You now have a "self-signed" certificate. You can use this for SSL encryption if the connecting browser has your Root CA in its list of trusted CAs. This is useful within your organization where you can update browsers that need to use SSL (for example, if you protect the Sun WebServer GUI with SSL). Most clients on the Internet, however, will not know about your Root CA so you will want certificates signed by a third party for public SSL sites. Refer to "Requesting Signed Certificates " after you have installed the credentials on the Sun WebServer machine.

Continue with the procedure in "Enabling SSL on a Web Site ".