Installing SSL Certificates (2024)

Table of Contents
Chapter4 Installing SSL Certificates Overview of SSL Certificates Generating Self-Signed Certificates Installing Certificates From a Certificate Authority Generating a Certificate Signing Request (CSR) Ordering a Certificate from a CA Installing a Certificate from the CA Installing a Root CA Certificate

Chapter4
Installing SSL Certificates

This chapter provides details on installing SSL certificates after installing Sun™ ONE Portal Server, Secure Remote Access.

This chapter includes the following sections:

Overview of SSL Certificates

An SSL certificate provides encryption and decryption capabilities using a public and private key pair. If you choose to install the certificate during installation, a self-signed certificate is generated and installed when you install the gateway. You can replace the installed certificate with another one that you generate or obtain anytime after installation. If you chose not to install the certificate during installation, you can generate and install a self-signed certificate, or a certificate that has been purchased from some certificate authority (CA), at a later point in time.

Secure Remote Access provides a tool named certadmin that you can use to manage the SSL certificates.

See the chapter, “Working With Certificates” in the Sun™ ONE Portal Server, Secure Remote Access 6.1 Administrator’s Guide for more information.

Note

You need to generate and install an SSL certificate for each gateway installation.

Generating Self-Signed Certificates

You need to generate certificates for SSL communication between each server and gateway component.

To Generate a Self-Signed Certificate After Installation

Note

certadmin does not support multibyte entries. When you invoke any of the options of the certadmin tool, and supply a multibyte entry as a value for the questions asked, certadmin will not accept the value.

If you generate a Certificate Signing Request (CSR) with multibyte entries using some other utility, certadmin will sign the request and handle the certificate.

  1. As root, run the certadmin script on the gateway machine for which you want to generate a certificate:

    2. InstallDir/SUNWps/bin/certadmin -n profilename

    The Certificate Administration menu is displayed.

    1) Generate Self-Signed Certificate

    2) Generate Certificate Signing Request (CSR)

    3) Add Root CA Certificate

    4) Install Certificate From Certificate Authority (CA)

    5) Modify Trust Attributes of Certificate (e.g., for PDC)

    6) List Root CA Certificates

    7) List All Certificates

    8) Quit
    -------------------------------------

    choice: [8] 1

  1. Type 1 to generate a self-signed certificate.
  1. If you answer as y, the script prompts you to enter organization-specific information, token name and the certificate name.

    Note

    For a wild card certificate, specify a * in the fully-qualified DNS name of the host. For example, if the fully-qualified DNS name of the host is abc.sesta.com, specify it as *.sesta.com. The certificate that is generated is now valid for all host names in the sesta.com domain.

    2. What is the fully-qualified DNS name of this host? [host_name.domain_name]

    What is the name of your organization (ex: Company)? []

    What is the name of your organizational unit (ex: division)? []

    What is the name of your City or Locality? []

    What is the name (no abbreviation please) of your State or Province? []

    What is the two-letter country code for this unit? []

    Token name is needed only if you are not using the default internal (software) cryptographic module, for example, if you want to use a crypto card (Token names could be listed using: modutil -dbdir /etc/opt/SUNWps/cert -list); Otherwise, just hit Return below.

    Please enter the token name []

    Enter the name you like for this certificate:

    The token name (default being empty) and certificate name are stored in the .nickname file under /etc/opt/SUNWps/cert.

  1. If you answer as n to the question "Do you want to keep the existing certificate database files?", the original certificate directory is backed up, and the script asks you for organization-specific information, token name, and certificate name as explained earlier.

    2. You are also asked for a passphrase. A passphrase is required because a new set of certificate, key and encryption module database files will be created. The passphrase is stored in the .jsspass file under /etc/opt/SUNWps/cert.

    Enter passphrase []:

    A self-signed certificate is generated and the prompt returns.

  2. Restart the gateway for the certificate to take effect.

    3. To restart the gateway, type the following command:

    InstallDir/SUNWps/bin/gateway -n new profile name start

Installing Certificates From a Certificate Authority

Installing certificates from a Certificate Authority (CA) involves the following procedures:

Generating a Certificate Signing Request (CSR)

Before you can order a certificate from a CA, you need to generate a certificate signing request which will contain the information that is required by the CA.

To Generate a CSR

    See Also
    Certificate Decoder - Decode certificates to view their contents

  1. As root, run the certadmin script:

    2. InstallDir/SUNWps/bin/certadmin -n profilename

    The Certificate Administration menu is displayed.

    1) Generate Self-Signed Certificate

    2) Generate Certificate Signing Request (CSR)

    3) Add Root CA Certificate

    4) Install Certificate From Certificate Authority (CA)

    5) Modify Trust Attributes of Certificate (e.g., for PDC)

    6) List Root CA Certificates

    7) List All Certificates

    8) Quit

    choice: [8] 2

  2. Type 2 on the menu to generate a certificate signing request (CSR).

    3. The script prompts you for organization-specific information, web master’s email and phone number, and token name.

    Ensure that you specify the fully-qualified DNS name of the host.

    What is the fully-qualified DNS name of this host? [snape.sesta.com]

    What is the name of your organization (ex: Company)? []

    What is the name of your organizational unit (ex: division)? []

    What is the name of your City or Locality? []

    What is the name (no abbreviation please) of your State or Province? []

    What is the two-letter country code for this unit? []

    What is the email address of the admin/webmaster for this server [] ?

    What is the phone number of the admin/webmaster for this server [] ?

    Token name is needed only if you are not using the default internal (software) cryptographic module, for example, if you want to use a crypto card (Token names could be listed using: modutil -dbdir /etc/opt/SUNWps/cert -list); Otherwise, just hit Return below.

    Please enter the token name []

  3. Type all the required information.

    4. Note

    Do not leave the web master’s email and phone number blank. The information is necessary for obtaining a valid CSR.

A CSR is generated and stored in the file /tmp/csr.hostname. The CSR is also printed on the screen. You can directly copy and paste the CSR when you order a certificate from a CA.

Ordering a Certificate from a CA

After generating a certificate signing request (CSR), you need to order the certificate from the CA using the CSR.

To Order a Certificate

  1. Go to the Certificate Authority’s web site and order your certificate.

  2. Provide the CSR obtained from Generating a Certificate Signing Request (CSR), as requested by the CA. Provide other information if requested by the CA.

    3. You will receive your certificate from the CA. Save it in a file. Include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines with the certificate in the file.

    The following example omits the actual certificate data.

    -----BEGIN CERTIFICATE-----

    The certificate contents...

    ----END CERTIFICATE-----

Installing a Certificate from the CA

Using the certadmin script, install the certificate obtained from the CA in your local database files in /etc/opt/SUNWps/cert.

To Install a Certificate

  1. As root, run the certadmin script.

    2. InstallDir/SUNWps/bin/certadmin -n profilename

    The Certificate Administration menu is displayed.

    1) Generate Self-Signed Certificate

    2) Generate Certificate Signing Request (CSR)

    3) Add Root CA Certificate

    4) Install Certificate From Certificate Authority (CA)

    5) Modify Trust Attributes of Certificate (e.g., for PDC)

    6) List Root CA Certificates

    7) List All Certificates

    8) Quit

    choice: [8] 4

  2. Type 4 on the menu to install your certificate from the CA.

    3. The script asks you to enter the certificate file name, certificate name, and the token name.

    What is the name (including path) of file that contains the certificate?

    Please enter the token name you used when creating CSR for this certificate []

  3. Supply all the required information.

    4. The certificate is installed in /etc/opt/SUNWps/cert, and the screen prompt returns.

  4. Restart the gateway for the certificate to take effect:

    5. InstallDir/SUNWps/bin/gateway -n profile name start

Installing a Root CA Certificate

If a client site presents a certificate signed by a CA that is unknown to the gateway certificate database, the SSL handshake will fail.

To prevent this, you need to import a root CA certificate into the certificate database. This ensures that the CA becomes known to the gateway.

Browse to the CA’s website and obtain the root certificate for that CA. You need to specify the filename and path of the root CA certificate when you run the certadmin utility.

To Import a Root CA Certificate

  1. As root, run the certadmin script.

    2. InstallDir/SUNWps/bin/certadmin -n profilename

    The Certificate Administration menu is displayed.

    1) Generate Self-Signed Certificate

    2) Generate Certificate Signing Request (CSR)

    3) Add Root CA Certificate

    4) Install Certificate From Certificate Authority (CA)

    5) Modify Trust Attributes of Certificate (e.g., for PDC)

    6) List Root CA Certificates

    7) List All Certificates

    8) Quit

    choice: [8] 3

  2. Choose option 3 on the certificate administration menu.

  3. Enter the name of the file that contains the root certificate and enter the name for the certificate.

    4. The root CA certificate is added to the certificate database.

    Note

    Certificate details can be viewed using the gwcertutil tool. This is a wrapper for the certutil tool provided by NSS/JSS.

  4. Refer to the section “Modifying the Trust Attributes of a Certificate” in Chapter 6 in the Sun™ ONE Portal Server, Secure Remote Access 6.1 Administrator’s Guide, for details.

Copyright 2003 Sun Microsystems, Inc. All rights reserved.

Installing SSL Certificates (2024)
Top Articles
Self-Employed 401k Plan from Fidelity
Physics Expert: How ‘Quantumania’ Realm Fits into Reality
How To Fix Epson Printer Error Code 0x9e
Us 25 Yard Sale Map
How To Get Free Credits On Smartjailmail
Craigslist Dog Sitter
Steve Strange - From Punk To New Romantic
Hover Racer Drive Watchdocumentaries
[2024] How to watch Sound of Freedom on Hulu
Pwc Transparency Report
Turning the System On or Off
Morgan And Nay Funeral Home Obituaries
Jackson Stevens Global
Teenleaks Discord
Leader Times Obituaries Liberal Ks
Napa Autocare Locator
H12 Weidian
Poe Str Stacking
Vegas7Games.com
Myhr North Memorial
Amazing Lash Studio Casa Linda
Craigslist St. Cloud Minnesota
Craigslist Roseburg Oregon Free Stuff
How to Watch Every NFL Football Game on a Streaming Service
Foodsmart Jonesboro Ar Weekly Ad
Dr Seuss Star Bellied Sneetches Pdf
Astro Seek Asteroid Chart
24 Hour Drive Thru Car Wash Near Me
Mercedes W204 Belt Diagram
Best New England Boarding Schools
Napa Autocare Locator
O'reilly's Wrens Georgia
Rust Belt Revival Auctions
Suspect may have staked out Trump's golf course for 12 hours before the apparent assassination attempt
Tendermeetup Login
Colorado Parks And Wildlife Reissue List
Frcp 47
How Many Dogs Can You Have in Idaho | GetJerry.com
Stranahan Theater Dress Code
Craigslist Rooms For Rent In San Fernando Valley
Reilly Auto Parts Store Hours
Youravon Com Mi Cuenta
R/Gnv
Zeeks Pizza Calories
8 4 Study Guide And Intervention Trigonometry
Christie Ileto Wedding
Sitka Alaska Craigslist
Craigslist Sarasota Free Stuff
Deviantart Rwby
Latest Posts
How to Make Money with TradingView
Liability Claims l Electric Insurance Company
Article information

Author: Catherine Tremblay

Last Updated:

Views: 6024

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Catherine Tremblay

Birthday: 1999-09-23

Address: Suite 461 73643 Sherril Loaf, Dickinsonland, AZ 47941-2379

Phone: +2678139151039

Job: International Administration Supervisor

Hobby: Dowsing, Snowboarding, Rowing, Beekeeping, Calligraphy, Shooting, Air sports

Introduction: My name is Catherine Tremblay, I am a precious, perfect, tasty, enthusiastic, inexpensive, vast, kind person who loves writing and wants to share my knowledge and understanding with you.