Chapter 11. Obtaining a Certificate for your Secure Server
This chapter will guide you through the process of securing your server by obtaining and installing a certificate.
To make your customers feel safe doing business with you over the Web, your Web server needs to be secure. Secure servers use the Secure Sockets Layer (SSL) protocol, which encrypts the data sent back and forth between a browser and the server. When your browser is communicating using SSL, you'll see the https: prefix before the Uniform Resource Locator (URL) in the navigation bar.
Customers feel more comfortable when making purchases from websites if they know that their transactions are secure, but secure servers aren't used only for electronic commerce. A secure server may also be used to transmit sensitive data such as sales figures to sales people on the road or to business partners over the Internet.
A secure server uses a certificate to identify itself to Web browsers. You can generate your own certificate (called a "self-signed" certificate) or you can get a certificate from a Certificate Authority or CA. A certificate from a reputable CA guarantees that a website is associated with a particular company or organization.
If your server will be used for e-commerce, you'll probably want to purchase a certificate from a CA. A CA's certificate provides two advantages: (usually) browsers will recognize it automatically and the CA guarantees the identity of the organization responsible for the website. Self-signed certificates will not be automatically accepted by a user's browser — the user will be asked by the browser if they want to accept the certificate and create the secure connection.
When you use a CA-signed certificate, you guarantee the identity of the organization running the server. For example, if the certificate says the website is Red Hat's, and the user trusts the CA, then there is no reason to doubt that any files or programs downloaded from that site really are from Red Hat.
The first step is to create a public and private key pair. Then you'll need to either create a certificate request (CSR) to send to a CA or you'll need to create your own self-signed certificate. This chapter provides instructions on how to get signed certificates from VeriSign (http://www.verisign.com or http://www.verisign.com/offer/redhat/ for details on a VeriSign discount to Red Hat customers) and Thawte (http://www.thawte.com), and how to generate your own certificate.
 | Please Note |
|---|---|
You can get signed certificates from any CA that you choose, and not just the CAs that are mentioned in this manual. However, VeriSign is offering a discount on certificates to Red Hat customers. See http://www.verisign.com/offer/redhat for details on VeriSign's discount. |
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you'll learn how to install it on your Red Hat Linux Secure Web Server.
Using Pre-existing Keys and Certificates
If you already have an existing key and certificate (for example, if you're installing the Red Hat Linux Secure Web Server to replace another company's secure Web server product), you will probably be able to use your existing key and certificate with the Red Hat Linux Secure Web Server. In the following two situations, you will not be able to use your existing key and certificate:
if you're changing your IP address or domain name
if you have a certificate from VeriSign and you're changing your server software
You can't use your old key and certificate if you are changing your IP address or domain name. Certificates are issued for a particular IP address and domain name pair. You will need to get a new certificate if you're changing your IP address or domain name.
VeriSign is a widely used CA. If you already have a VeriSign certificate for another purpose, you may have been considering using your existing VeriSign certificate with your new Red Hat Linux Secure Web Server. However, you won't be allowed to, because VeriSign issues certificates for one particular server software and IP address/domain name combination.
If you change either of those parameters (for example, if you previously used another secure Web server product and now you want to use the Red Hat Linux Secure Web Server), the VeriSign certificate you obtained to use with the previous configuration will not work with the new configuration. You will need to obtain a new certificate.
If you have an existing key and certificate that you can use, you will not have to follow the instructions contained in Chapter 11. You do need to move and rename the files which contain your key and certificate.
Move your existing key file to:
/etc/httpd/conf/ssl.key/server.key |
Move your existing certificate file to:
/etc/httpd/conf/ssl.crt/server.crt |
After you've moved your key and certificate, skip to the section called Testing Your Certificate.
If you're upgrading from the Red Hat Secure Web Server versions 1.0 and 2.0, your old key (httpsd.key) and certificate (httpsd.crt) will be located in /etc/httpd/conf/. You'll need to move and rename your key and certificate, so that the Red Hat Linux Secure Web Server can use them. Use the following two commands to move and rename your key and certificate files:
mv /etc/httpd/conf/httpsd.key /etc/httpd/conf/ssl.key/server.key mv /etc/httpd/conf/httpsd.crt /etc/httpd/conf/ssl.crt/server.crt |
Then start your Red Hat Linux Secure Web Server as described in the section called Starting and Stopping Apache. You should not need to get a new certificate, if you are upgrading from a previous version of the Red Hat Linux Secure Web Server.