Creating and Managing Server Certificates

Documentation Contents / Documentation Index / Glossary / Administration Tool Help

This document provides instructions for common Java Web Server tasks related to the creation and management of server certificates:

For a description of the AuthStore utility with which these tasks can be performed, see the AuthStore: Server Authentication online help document.

To Create a Self-signed Server Certificate:

  1. Start the AuthStore utility.

  2. In the AuthStore utility, click Create.

  3. Select the characteristics of the server certificate: the size of the encryption key (the larger it is, the stronger it will be); the signature type (MD5 with RSA encryption recommended); and, the validity period.

  4. Click Continue.

  5. Fill in data to store in the server certificate: fully qualified hostname, department, organization, address. The client will see this information when they request your server's certificate. (Note: this information is not verified by AuthStore.)

  6. Click OK.

    If you have not previously set a passphrase to use with the server certificate, a pop-up dialog box for setting a passphrase appears. (A passphrase consisting of several words, and including alphanumeric characters, is recommended to reduce the chance of someone simply guessing your passphrase.) Type a passphrase and click OK.

    If you have previously set a passphrase to be use with the server certificate, AuthStore goes directly to creating and storing the certificate.

    You will be returned to the original AuthStore screen. The Help display area will indicate the key was successfully generated.

  7. Activate the Secure Web Service:

    1. Restart the Java Web Server.
    2. Log in to the Administration Tool.
    3. Select and then start the Secure Web Service.  

    You've now enabled the web server and client browser to communicate securely using HTTPS on the Java Web Server secure web service port.

    The first time a particular client browser connects to the Java Web Server secure port (by default, port 7070) using HTTPS (not HTTP), the browser indicates that the server certificate it received is unrecognized. The client's browser will provide the client the option to add the new server certificate to its list of trusted certificates.

    Note: When you configure a certificate, the private keys are stored in a file called keys in the server_root, where server_root is the directory of the installed Java Web Server. Removal of this file results in the removal of all configured server certificates. You should make a copy of the keys file for archival/restoration purposes.

To Create a CA-signed Server Certificate

  1. Create a self-signed certificate.

    You need a self-signed server certificate to create a certificate-authority-signed certificate. If you have not already created a self-signed certificate, see To create a self-signed server-certificate.
     

  2. Create the Certificate Signing Request.

    1. Start the AuthStore utility.
       
    2. In the Server Certificates pane, then select the self-signed certificate you created in the previous step.

    3. Click Request.

    4. Fill in the data to submit with the self-signed certificate to the Certificate Authority.

    5. Click OK to save the data you entered to the file you specified.

      Note: Only the path name to the file is verified by AuthStore.

  3. Contact the Certificate Authority.

    1. Connect to the Web site of the Certificate Authority of your choice. There are many Certificate Authorities, for example, VeriSign, Inc. and Thawte, Inc.

    2. Follow the instructions for requesting a signed server certificate. During the process, you will be asked to attach the content of the Certificate Signing Request (the file from the previous step) on a form.

      Once the request is processed, the Certificate Authority will make your signed server certificate available to you--either through email or from their website. The CA may also send you its root CA certificate or it can be downloaded from their website.

    3. Save the files, noting their location. You will need to know their location in the next phase when you import the certificates into the Java Web Server.

      Note: If your certificates are lost or destroyed, you will probably have to go through the entire process again and contact the Certificate Authority. (They may or may not charge you again.) For that reason, you may want to keep copies of your CA root certificate and CA-signed server certificate in a secure place.

  4. Import the CA's root-certificate.

    1. Start AuthStore if it is not already started.

    2. Click Import CA.

    3. Provide the location of the root CA certificate and an alias.

    4. Click OK.

  5. Import the CA-signed server-certificate.

    1. Start AuthStore if it is not already started.

    2. Click Import.

    3. Provide the location of the CA-signed server certificate.

    4. Click OK.

  6. Update the secure web service to use the new certificates.

    1. Restart the Java Web Server.

    2. Log in to the Administration Tool.

    3. Select, then start, the Secure Web Service.

    7. Note: When you configure a certificate, the private keys are stored in a file called keys in the server_root, where server_root is the directory of the installed Java Web Server. Removal of this file results in the removal of all configured server certificates. You should make a copy of the keys file and store it for safekeeping following your normal archive/restoration procedures.

    During the server-client communication process, the data exchanged will be encrypted using a "cipher suite" agreed on between the client and server. A selection of cipher suites that can be used by the Java Web Server when communicating with particular client, are set by default. To find out more about cipher suites and how to change the default selection, see Administration Tool: Cipher Suites in the online documentation.

Top
java-server-feedback@java.sun.com
 Copyright © 1999 Sun Microsystems, Inc.
All Rights Reserved.