Dave’s Blogs

This HowTo assums the following:
* You have an instance of Sun Java System Web Server 6.1 on Solaris OS (SPARC/x64)
* The machine has a static IP
* You have root access to install and configure the software.
* All steps are presented in the form of examples with the assumption that you will replace environment specific parameters such as “myserver”, “mydomain.com”, “password”, and any other fields with the appropriate values for your environment.

1. Create a cert database for Web Server
login to Web Server console at http://myserver.mydomain.com:8888
click manage for the target instance
click security tab
click create database link
enter a password for the database

2. Method 1: import a certificate created by a third party
If you prefer to generate your own certificate, see section 3. Before import a certificate, you should create a certificate request for your server.

2.1. Request a Certificate
Click on Request a certificate link under security tab within instance
administration console for Web Server.
Enter a CA Email address. The server will send your request to this email address.
Enter the password you used to create the cert database above for the Key Pair File Password
Fill in rest of the form with your personal information
For Common name field, enter the host name of the server
For State, make sure spell out the full state name. Do not use abbreviation.

2.2. Import a Certificate
After you received the certificate, do the following steps to install the certificate
Login to Web Server’s admin console
Choose to manage the correct instance that the cert was created for and click manage
Click Security tab
Click Install Certificate
Enter password for the cert database for Key Pair File Password field
Choose Message text (with headers)
Copy and past first of the two cert (shorter number of lines) into the
text box. Make sure you include the text that says -----BEGIN
CERTIFICATE----- and -----END CERTIFICATE-----
Click OK
Click Add Server Certificate button
You will see a pop-up warning window telling you the change will require a sever restart. Click OK.
You should see a pop-up success window. Click OK.
You should be back to Install a Server Certificate page. Now, install
the second part of the certificate (root cert) by choosing Trusted Certificate Authority (CA) option under “Certificate For” section.
Enter the correct certificate database password for Key Pair File Password field
Choose Message text (with headers) option and past-in the second certificate text that you received. Make sure you include the text that says -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Add Server Certificate.
Click Ok on the warning pop-up window.
Click Ok on the success pop-up window.

2.3. (Optional) Install trusted partner’s cert
Use the same instructions as above to install a partner’s cert as Trusted Certificate Authority.

2.4. (Optional) View installed cert
Click Manage Certificate link under Security tab within the instance console.
The new cert should be at the bottom of the list. Enter “End” key to scroll to end of the page and look for your cert. You can click on it and see the its properties.

3. Method 2: Create your own certificate
This method does not require waiting for a third party to generate a certificate, and therefore could be faster. Here are the notes on how it can be done:

3.1. Create a certificate in the certificate database
Instead of generating a request for the third party to create a certificate, this single step will create a certificate and store it in the certificate database. Before you run the command below, create a password file that contains the password for accessing the certificate database. This is a plain-text file containing one password. For more information on this command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -S -s "CN=My Demo, O=My Company., L=My City, ST=CA, C=US" -n Sun -x -t "CT,CT,CT" -1 -2 -5 -f /opt/SUNWwbsvr/alias/pass -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

3.2. (Optional) List certificate(s)
You can use the following command to list the certificate you just created. Removing the -n option will display a list of certificates installed.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -L -n Sun -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

3.3 (Optional) Delete a certificate
If you ever needs to recreate a new certificate, you can delete the old one with the following command:

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -D -n Sun -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

3.4 (Optional) Export Certificate in DER format for partners
The following command will export the certificate with the name “Sun” to a file “mycert.der” in DER format. Some partners require this file type.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -L -n Sun -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver- -r > mycert.der

3.5 (Optional) Import a partner’s certificate
The following command will import a certificate (160ca.der for this example) into the certificate database with a name “partner”.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -A -i 160ca.der -n partner -t "CT,CT,CT" -d /opt/SUNWwbsvr/alias -P https-myserver.mydomain.com-myserver-

4 Restart Web Server
Restart the server using Web Server’s administration console or use the start/stop scripts.

5 Add a Listening Socket
Click Add Listen Socket under Preference tab in instance administration console.
Enter 443 for “Port” field.
Change Security field to “Enabled”.
Click OK
You should see a pop-up window telling you to apply changes.
Click Apply link on the upper right corner.
Click Apply Changes.
Type cert db password into Module internal field before click “Sever On” button.