1 Reply Latest reply: Jan 18, 2008 7:03 AM by 807581 RSS

    managing certificates in ldapconsole and certuil from mess. server


      I managed to install a selfsigned certificate in JES 4 messaging server, using the /opt/SUNWmsgr/lib/certutil command.
      I generated a key db in /opt/SUNWmsgsr/config directory, created a CA certificate myself, and used it to sign a certificate I also created via the certutil.

      I then adapted the messaging server (using configutil) to use this certificate for activating IMAP over SSL.
      This works fine now. Ofcourse, there's some warning messages, but I can live with that for now.

      Now, I want to buy an official certificate from globalsign, and I was wondering if I can just proceed like this:

      - download the root globalsign certificates and import it via certutil -E using a command like this:

      ./certutil -E -n globalsignorgssl -t "CTu,CTu,CTu" -f /opt/SUNWmsgsr/config/sslpassword -d /opt/SUNWmsgsr/config -i certs/globalsignorgssl.cert

      then use certutil -R to generate a CSR that globalsign needs as input for them to generate the new certificate

      If I receive the official certificate, use certuil -E to import it, and afterwards do:
      /configutil -o encryption.rsa.nssslpersonalityssl -v <nick name of the official certificate>
      to enable it.

      Is that the way to go ?

      Alternatively, I noticed that the ldapconsole has a 'managing certificates' option for the messaging server, but strangely enough, my self signed certificates do not appear there. Is the ldapconsole tool using the same certutil command in the background, but perhaps pointing to a keystore located elsewhere ? Or is using this 'managing certicates' via the ldapconsole/messaging server deprecated ?

      Thanks for letting me know.