There are two acceptable types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates. Prior to generating the certificate, decide which is best for your environment.

For more information on OpenSSL, go to:

http://www.openssl.org

Creating a Private Key

Follow these steps to create a private key:

Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:

/usr/local/openssl096g/bin

Enter the following command:

openssl genrsa -out server.key -rand file1:file2:...:fileN 1024

where file1 through fileN are files containing random data, such as a large log, or other dynamic files (e.g., /var/adm/messages.0). The number of files to be used containing random data is optional, but at least one must be specified.
4.

A private key is created and written to the file server.key.
5.

Based on the type of certificate to be generated, refer to the appropriate instructions:

Generating a CA-signed Certificate
*

Generating a Self-signed Certificate

Generating a CA-Signed Certificate

Follow these steps to generate a Certificate Signing Request (CSR) and obtain a CA-signed certificate:

Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:

/usr/local/openssl096g/bin

Enter the following command:

openssl req -new -key server.key -out server.csr

The following message and series of attributes appear. Be sure to remember all attribute values specified.

Using configuration from
/usr/local/openssl096g/ssl/openssl.cnf
You are about to be asked to enter information that
will be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN. There are quite a few
fields but you can leave some blank. For some fields
there will be a default value.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits \
Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The certificate is generated and stored in the file server.crt.
5.

Encrypt the key to prevent the key from being compromised.

Note: This step is optional. Encrypting the key enhances key security. Once the key is encrypted, any program that needs to access the key will require a user-provided pass phrase. For secure mode operations, this pass phrase is required each time the server starts.

To encrypt the key, run the following command and type a pass phrase when prompted:

openssl rsa -des3 -in server.key -out server.key.crypt

read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Enter the following command:

mv server.key.crypt server.key

Submit the CSR to the chosen CA. The CA will provide instructions on how to submit the CSR. Once the CSR is processed, the CA will return a signed certificate.
8.

Store the CA-signed certificate in the file server.crt.
9.

Relocate the files by entering the following commands:

mkdir TNHOME/etc/httpd/conf/ssl.crt

mkdir TNHOME/etc/httpd/conf/ssl.key

chown root server.crt server.key

chmod 444 server.crt

chmod 400 server.key

mv server.crt TNHOME/etc/httpd/conf/ssl.crt

mv server.key TNHOME/etc/httpd/conf/ssl.key

10.

Restart the HTTP server by entering the following:

cd /TNHOME/usr/sbin

./tnfwshut

./tnfwstart

11.

Enter the pass phrase (if the key is encrypted).
12.

Go to section 2.2 Configuring SSL Support for Secure Framework Sessions of the TAS Administration Manual to complete SSL configuration.

Generating a Self-Signed Certificate

Follow these steps to generate a self-signed certificate:

Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:

/usr/local/openssl096g/bin

Enter the following command:

openssl req -x509 -new -key server.key -out server.crt

The following message and series of attributes appear. Be sure to remember all attribute values specified.

You are about to be asked to enter information that
will be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN. There are quite a few
fields but you can leave some blank. For some fields
there will be a default value.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits \
Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

The certificate is generated and stored in the file server.crt.
5.

Encrypt the key to prevent the key from being compromised.

To encrypt the key, run the following command and type a pass phrase when prompted:

openssl rsa -des3 -in server.key -out server.key.crypt

read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Enter the following command:

mv server.key.crypt server.key

Relocate the files by entering the following commands:

mkdir TNHOME/etc/httpd/conf/ssl.crt

mkdir TNHOME/etc/httpd/conf/ssl.key

chown root server.crt server.key

chmod 444 server.crt

chmod 400 server.key

mv server.crt TNHOME/etc/httpd/conf/ssl.crt

mv server.key TNHOME/etc/httpd/conf/ssl.key

Restart the HTTP server by entering the following:

cd /TNHOME/usr/sbin

./tnfwshut

./tnfwstart

Enter the pass phrase (if the key is encrypted).
10.

Go to section 2.2 Configuring SSL Support for Secure Framework Sessions of the TAS Administration Manual to complete SSL configuration.