> Our server is configured to use SSL, but it's a self signed
> certificate. I have been asked to install a Chained root 128 bit
> Wildcard SSL certificate. The problem I have is this... where and how
> is this done?
You need to create a CSR with consoleone, then send it off to the
authority to gen your cert. When they return it, you import it back into
eDirectory. What you end up with is a KMO (key material object)
representing your woldcard cert.
> I have been told that I do not need to replace the current self signed
> certificate because that is used for server to server communication. I
> was also told that all I had to do is enter the SSL directives in my
> httpd.conf file and provide a path to the certificate and key file and
> everything would be fine.
This is incorrect. You say you want to secure the link between browser
and web server, correct? If so, then you DO need a real cert, unless you
want to put up with the browser complaint that the novell cert is not
signed by a trusted authority...
> I used the GWCSRGEN.exe utility to generate the .csr file and sent it
> off for signing.
> I have tried this using the following syntax in my httpd.conf file:
> SSLCertificateFile \apache2\conf\public.crt
> SSLCertificateKeyFile \apache2\conf\public.key
> SSLCACertificateFile \apache2\conf\chain.crt
gwcsrgen is ONLY used when you need to mint certificates to SSL-ize the
links between various *groupwise* objects (eg, webaccess agent to poa,
poa to mta, etc). It does *not* have anything to do with securing
browser-to-web server, which is what you want.
For instructions on creating the CSR with consoleone, check here
Once you get the CSR back from the authority, use these instructions to
Once THAT is done, you simply edit the apache conf file to point the
SecureListen directive at the name of your new KMO (certificate)