There are two kinds of certificates in OES. One is stored in eDirectory, and is used by the LDAP procedures. The other set of certificates is used by the Apache web server. This is one of the setup processes for the Apache web server (there are many methods, depending on what may be needed).
Step 1- First, if you are going to sign your own certificates, do this once to set up your Certificate Authority (commonly abbreviated as "CA"). The procedure is :
mkdir /etc/ssl
chown -R root /etc/ssl
chmod g-rwx /etc/ssl
chmod o-rwx /etc/ssl
mkdir /etc/ssl/demoCA
touch /etc/ssl/demoCA/index.txt
echo '00000000'>> /etc/ssl/demoCA/serial
openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/ca.key -out /etc/ssl/ca.crt -days 1095
Step 2- Next, create a signing request. This request can be sent to a third party certificate service for signing. The procedure is :
openssl req -new -nodes -out /etc/ssl/site.csr -keyout /etc/ssl/site.key
Step 3- Now, the certificate request can be signed by the third party, or create it as a "self-signed" certificate. Self-signed certificates are free, and the procedure requires the section for signing your own certificates above. Sign them using :
cd /etc/ssl
openssl ca -cert /etc/ssl/ca.crt -keyfile /etc/ssl/ca.key -out /etc/ssl/site.crt -outdir /etc/ssl -infiles /etc/ssl/site.csr
You should now have a new certificate and the key for your OES server.
Note that the certificate files (*.crt files), and the key files (*.key), and any PEM (*.pem) files should be backed up in case of data loss. If the .key files are lost, the certificates will no longer be operational, as the certificates are based on the keys. In this situation, a new certificate must be procured using the above procedure.
See
KB 10096990 [no longer available] on Certificates in Apache
Formerly known as TID# 10096988
If configuring Apache on SLES (10 or 11), OES2 or OES11 to use a 3rd party certificate, please see
TID 7009962