The CA is the top-level certificate in your certificate chain. The CA is required to generate client certificates and to validate the certificates presented by clients to access a repository.
Third-party CAs are managed by a handful of trusted companies such as VeriSign. This trusted management enables clients to verify the identity of a server against one of their CAs. The example in this section does not include verifying the identity of the repository server. This example only shows verifying client certificates. Therefore, this example uses a self-signed certificate to create the CA and does not use any third-party CAs.
The CA requires a common name (CN). If you run only one repository, you might want to set the CN to the name of your organization (for example, “Oracle Software Delivery”). If you have multiple repositories, each repository must have its own CA. In this case, set the CN to a name that uniquely identifies the repository for which you are creating the CA. For example, if you have a release repository and a support repository, only certificates from the release CA will allow access to the release repository, and only certificates from the support CA will allow access to the support repository.
To identify the certificate in the keystore, set a descriptive label for the certificate. A good practice is to set the certificate label to CN_ca, where CN is the CN of the certificate.
$ pktool gencert label=CAlabel subject="CN=name" serial=0x01
The CA will be stored in your keystore. Use the following command to show the contents of your keystore:
$ pktool list
You will need to extract the CA certificate from the keystore when you configure Apache as described in Adding SSL Configuration to the Apache Configuration File. Use the following command to extract the CA certificate to a file named ca_file.pem:
$ pktool export objtype=cert label=CAlabel outformat=pem \ outfile=ca_file.pem