Root Certificate Authority (Root CA)
You need to create a Root CA at your site to create credentials for web sites. A Root CA user will create credentials for itself, and then use the credentials to create key packages and sign certificates for web servers in your network. You may store the credentials in the Federated Naming Service (FNS) for easy accessibility from other machines, or you can store them only in files on the Root CA machine to limit access. By default, they are stored in /var/fn.
The Root CA host (where credentials are created) does not need to be the same machine as Sun WebServer, and for security reasons you may want to run the Root CA on a different machine or a machine with no network access at all.
Root CA User
You can use any user name except for root (UID 0) on the Root CA host to be the Root CA user. The Root CA user is the only user that can create credentials for web sites. The Root CA user will have its own, password-protected credentials, which are used to sign all of the certificates it creates.
The Root CA credentials are bound to a distinguished name (DN) entry. All credentials are bound to a DN. The Root CA distinguished name uses the following attributes:
| Attribute Type | Abbreviation | Example |
|---|---|---|
| Common name | cn | cn=rootca |
| Email address | em | em=rootca@A.net |
| Serial number | serial | serial=no12345 |
| Organizational unit name | ou | ou=web |
| Organization Name | o | o=A.net |
| Locality name | l | l=internet |
| State or province name | st | st=California |
| Country name | c | c=US |
The order of the attributes matters in the DN. The DN must begin with the most specific attribute and continue to the least specific. The attributes are listed in the table from most specific (common name) to least specific (country).
All credentials are stored in a directory owned by the Root CA user, which should not be publicly readable. The Root CA user's credentials (as well as each web site's credentials) will be available through the Federated Naming Service (FNS).
Root CA Host
All computers that use SSL or key packages will need to have the security tools packages installed. There must be at least one machine, the Root CA host, where
-
The user name of the Root CA exists.
-
The credentials of the Root CA are stored.
-
FNS is properly installed.
The Root CA will create and store credentials for web sites on this host.
Running Sun WebServer on the Root CA host is not necessary. A Sun WebServer machine can get access to the credentials for web sites it hosts by copying the files from the Root CA hosts.
- © 2010, Oracle Corporation and/or its affiliates