Signing a Digital Certificate

After creating a digital certificate, the owner must sign it to prevent forgery. E-commerce sites, or those for which authentication of identity is important can purchase a certificate from a well-known Certificate Authority (CA). If authentication is not a concern, for example if private secure communications is all that is required, save the time and expense involved in obtaining a CA certificate and use a self-signed certificate.

Using a Certificate From a CA

To use a digital certificate signed by a CA:

  1. Follow the instructions on the CA’s Web site for generating certificate key pairs.
  2. Download the generated certificate key pair.
  3. Save the certificate in the directory containing the server keystore and trust-store files, by default install_dir/domains/domain-dir/config directory. See "Changing the Location of Certificate Files" for instructions on changing this location.

  4. In your shell, change to the directory containing the certificate.
  5. Use certutil to import the certificate into the local keystore and, if necessary, the local trust-store.
  6. Restart the Application Server.

For complete information about using certutil, see the certutil documentation at:

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

See also:


Legal Notices