Go to main content

Packaging and Delivering Software With the Image Packaging System in Oracle® Solaris 11.3

Exit Print View

Updated: July 2017

Using a Custom Certificate Authority Certificate

A custom Certificate Authority (CA) certificate is used to sign other certificates. The system determines whether a key and certificate are valid by verifying that the CA referenced on a certificate has a corresponding CA certificate in /etc/certs/CA.

How to Use a Custom Certificate Authority Certificate

  1. Create your custom CA certificate.

    See Creating a Self-Signed Server Certificate Authority in Copying and Creating Package Repositories in Oracle Solaris 11.3 for a description of creating and testing your own CA certificate.

  2. Put the CA certificate in the directory specified by the trust-anchor-directory property.

    See Configure Image and Publisher Properties for a description of the trust-anchor-directory image property.

    • Put the CA certificates directly in the directory named by trust-anchor-directory. Do not put the certificates in another subdirectory.

    • Do not put a CA certificate in the directory that is a duplicate of a certificate that is already in the directory.

    • Do not put a file in the directory that is not a valid certificate file.

  3. Refresh the ca-certificates service.
    $ svcadm refresh svc:/system/ca-certificates:default

    Verify that the service is online:

    $ svcs ca-certificates

    If the service is not in the online state, or if the CA does not appear in /etc/certs/ca-certificates.crt, check the service log file:

    $ svcs -xL ca-certificates
  4. (Optional) Package the custom certificate and key.

    Updating the certificate and key for multiple systems is easier if you package the certificate and key files. If the certificates need to change, update the package, and then pkg update the package on each system.

    1. Add a refresh actuator to each certificate and key file that you deliver.
      file group=sys mode=0644 owner=root path=etc/certs/CA/mycert.pem \

      The following pkgmogrify rule automates adding this refresh actuator:

      <transform file path=etc/certs/CA/.*\.pem -> 
        add refresh_fmri svc:/system/ca-certificates:default>
    2. Do not deliver the /etc/certs/CA directory in your package.

      The /etc, /etc/certs, and /etc/certs/CA directories are already delivered by the system. See Add Necessary Metadata to the Generated Manifest and Verify the Package.