specweb 2005 configuration : Generating SSL Certs
This blog entry forms one part of a larger guide to specweb2005 which
is indexed here.
generating SSL Certs
Specweb2005 setup will involve setting up a secure webserver, which in many cases will
involve generating ssl certs for the webserver. This is not difficult however i found
it was poorly documented.
Specweb2005 requires a server that listens both on port 80 for regular http connections
and port 443 for https connections. For the secure server on port 443 you can configure your
webserver to listen there or if using solaris you can use the kssl proxy to redirect encrypted
traffic on port 443 to port 80 unencrypted without all that trapping in and out of kernel.
If your running s10u1 or later see ksslconfig (1m).
In either case your going to have to generate ssl certs for the encrypted connections.
Although this is easy to do its suprisingly difficult to find a straight answer on how to
do it if you dont know. The explanation I found after much searching is < a href=#http://java.sun.com/developer/technicalArticles/WebServices/appserv8-1.html> here .
Here ill take the example case using Sun Java Webserver. The following is what you need to
do to generate your server certs:
cd /opt/SUNWwbsvr/alias
LD_LIBRARY_PATH=/usr/sfw/lib
PATH=$PATH:/usr/sfw/bin
export PATH LD_LIBRARY_PATH
cd /opt/SUNWwbsvr/alias
cp /etc/ssh/moduli ./seed
certutil -N -d `pwd`
certutil -R -s "CN=`uname -n`-1,O=Sun Microsystems,L=Where I am,ST=Dublin,C=IE" -p "xxx-xxx-xxxxxx" -o mycert.req -x -z ./seed -d `pwd`
certutil -S -s "CN=`uname -n`-1,o=Sun,ou=sun.com, C=IE" -n myCA -x -t "TCu,Cu,Cu" -1 -2 -5 -m
1234 -z ./seed -v 100 -d `pwd`
One by one, select options 0, 1, 5, 6 and 9, and type y when the program asks
whether this is a critical extension.
After that, you will be prompted to select from other option menus, where
you should choose 5, 6, 9 for SSL CA and S/MIME CA.
certutil -C -m 2345 -i mycert.req -o mycert.crt -c myCA -v 100 -z ./seed -d `pwd`
certutil -A -n Server-Cert -t "TCu,TCu,TCu" -i mycert.crt -d `pwd`
My source for minding most of the above comes from:
http://www.modssl.org/docs/2.8/ssl_overview.html
Posted at
03:37PM May 25, 2006
by nmullen in Performance |