iTP Secure WebServer System Administrator's Guide (Version 7.0)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—523346-012
4-28
Using Server Certificate Chains With the iTP Secure
WebServer
Using Server Certificate Chains With the iTP
Secure WebServer
The iTP Secure WebServer’s SSL 3.0 protocol allows you to send and receive
certificate chains. With the certificate chain option, you can establish a certificate
hierarchy that is more than two certificates deep. Server certificate chain support
allows iTP Secure WebServers to use VeriSign Global Server IDs, which are certificate
chains.
For information about Global Server IDs, see Support for International 128-Bit SSL
Sessions Using VeriSign’s Global Server ID on page 4-5. For more information about
certificates and certificate chains, see Using Certificates on page D-6.
No configuration changes to the iTP Secure WebServer are required for this feature.
However, because certificate chain transmission between clients and servers requires
SSL 3.0 support, check that you are using the latest version of the iTP Secure
WebServer.
You can use certificate chains with the WebSafe2 unit for increased security. If you
plan to do this, see How to Use Server Certificate Chains With WebSafe2 Encryption
on page 5-17 for specific configuration details.
To create a server certificate chain, follow these steps:
1. Obtain leaf and intermediate certificates from the appropriate CA. If the certificates
are to be used to support a Global Server ID, obtain the certificates from VeriSign
at this Web site:
http://www.verisign.com
2. Note that when a certificate chain is sent from VeriSign, the leaf certificate is the
certificate that follows the text SERVER SUBSCRIBER CERTIFICATE, and the
intermediate certificate is the certificate that follows the text INTERMEDIATE CA
CERTIFICATE.
3. Store the leaf and the CA certificates:
°
Store the root certificate, including the lines labeled ----- BEGIN
CERTIFICATE ----- and ----- END CERTIFICATE -----, in a
certificate file (a plain text file). Add this certificate to the designated key
database file using the keyadmin utility.
°
Store the intermediate certificate, including the lines labeled ----- BEGIN
CERTIFICATE ----- and ----- END CERTIFICATE -----, in a
certificate file (a plain text file). Add this certificate to the designated key
database file using the keyadmin utility.
°
Store the leaf certificate, including the lines labeled ----- BEGIN
CERTIFICATE ----- and ----- END CERTIFICATE -----, in a
Note. WebSafe2 unit is compatible only with systems running on G-series RVUs.