Requesting Signed Certificates
Having a web site's certificate signed by an independent CA is the equivalent of having an independent auditor vouch for the site's identity. Clients may not believe that a secure site is what it claims to be unless its credentials are "digitally signed" by a CA that the client trusts.
This means that if you run your web site with the self-signed certificates created above, then when users contact your web site, their browser may request the users' permission to accept the credentials.
Sun WebServer currently only supports VeriSign as a third party CA. You can use the tools that come with Sun WebServer to send a certificate and a certificate signing request (CSR) to VeriSign via their public web site.
To Request a Signed Web Site Certificate
-
Your local Root CA must generate credentials and store them on the Sun WebServer machine.
Refer to "Creating Credentials" and "Enabling SSL on a Web Site ".
-
Log in to the Sun WebServer machine as super-user (
root). -
Run the sslgenreq utility to generate a certificate that can be sent to a CA.
Note -The SSL script send_request has been renamed to sslgenreq.
On the command line, you must specify the IP address of the site whose certificate you want signed. The portable certificate will be stored in a file in /tmp, unless you use -o to specify a different directory (the directory must already exist).
# mkdir /var/SSL_CERTS/requests # /usr/http/bin/sslgenreq -o /var/SSL_CERTS/requests \ 121.122.123.12
-
Enter the key package password for the web site.
This is not the Root CA's key package password. This is the password you created when you ran sslgencrd.
-
The certificate signing request will be stored in the directory you named, or /tmp, in a file named cert.request.
The contents of this file can be sent to VeriSign through their web site.
-
You will need to follow the CA's procedures for requesting a signed certificate. At some point, you will need to supply the generated certificate file to the CA.
To request a VeriSign certificate, visit http://www.verisign.com/server/. You will need to request a server certificate for server software from Sun Microsystems.
-
When the CA sends the signed certificate, save it in a file.
For example, save the reply in /tmp/121.122.123.12.cert.
Caution - Do not save the certificate from the CA in the directory the Root CA uses to store credentials.
-
As root, run /usr/http/bin/sslstorex to make the signed certificate available for SSL.
Note -The SSL script install_external has been renamed to sslstorex.
Valid options are:
- -c file_path
-
Certificate reply file from the external CA. This option is required.
- -o option
-
CAs to be added to the server's trusted key list. Type of certificate can be one of the following:
- test
-
A trial certificate from VeriSign valid for two week. In order to test the clients against a server that has a test certificate from a third party, the test CA's certificate must be embedded into the browser. Browsers prompt users for this when an SSL connection with such a server is established.
- prod
-
A production certificate valid for one year. This is the default setting.
- update
-
Migrates from a test certificate to a production certificate. The test CA is removed as a trusted key, and the production CA's key is added to the server's trusted key list.
Note -Test, prod, and update are tokens defined by Sun WebServer. They refer to the certificate lifetimes of the server certificates issued by VeriSign.
- -i IP_Address
-
Specifies the IP Address of the web site for which credentials are being created.
- uid
-
User ID under which the web server process runs. Default uid is 0.
- © 2010, Oracle Corporation and/or its affiliates