How to Configure SSL Certificates for Migration

To configure SSL certificates, you must perform the steps in this task on the control domain of the source machine.

1. Create the /var/share/ldomsmanager/trust directory if it does not already exist.

   source:primary# mkdir /var/share/ldomsmanager/trust

2. Copy the ldmd certificate from the target server to the local trusted certificate directory.

   The remote ldmd certificate is the /var/share/ldomsmanager/server.crt on the remote host. The local ldmd trusted certificate directory is /var/share/ldomsmanager/trust. Rename the remote certificate file target-hostname .pem, for example tgt-primary.pem.

3. Create a symbolic link from the certificate in the trusted certificate directory to the /etc/certs/CA directory.

   source:primary# ln -s /var/share/ldomsmanager/trust/tgt-primary.pem /etc/certs/CA/

4. Restart the svc:/system/ca-certificates service.

   source:primary# svcadm restart svc:/system/ca-certificates

5. Verify that the symbolic links to /etc/certs/CA/ that you created in Step 3 are correct.

   source:primary# openssl verify /var/share/ldomsmanager/trust/tgt-primary.pem
   /var/share/ldomsmanager/trust/tgt-primary.pem: ok

6. Verify that the ca-certificates service is online.

   Restart or enable the service if required.

   source:primary# svcs ca-certificates
   /var/share/ldomsmanager/trust/tgt-primary.pem: ok
   STATE        STIME    FMRI
   online       0:22:38  svc:/system/ca-certificates:default

7. Restart the ldmd daemon.

   source:primary# svcadm restart ldmd

8. Starting with Oracle Solaris 11.4 SRU 48, verify that the configuration of the ldmd certificates is correct.

   source:primary# openssl verify -CApath /var/opt/SUNWldm/CA /var/opt/SUNWldm/trust/tgt-primary.pem
   /var/share/ldomsmanager/trust/tgt-primary.pem: ok

9. Repeat these steps on the target server.