A General Overview of Web Server Security

Your Red Hat Linux Secure Web Server provides security using a combination of the Secure Sockets Layer (SSL) protocol and (in most cases) CA-approved digital certificates. SSL handles the encrypted communications and the mutual authentication between browsers and your Red Hat Linux Secure Web Server. The CA-approved digital certificate provides authentication for your Red Hat Linux Secure Web Server (the CA puts its reputation behind its certification of your organization's identity).

Encryption depends upon the use of keys (think of them as secret encoder/decoder rings in data format). In conventional or symmetric cryptography, both ends of the transaction have the same key, which they use to decode each other's transmissions. In public or asymmetric cryptography, two keys co-exist: a public key and a private key. A person or an organization keeps their private key a secret, and publishes their public key. Data encoded with the public key can only be decoded with the private key; data encoded with the private key can only be decoded with the public key.

You'll use public cryptography to create a public and private key pair. In most cases, you'll send your certificate request (including your public key), proof of your company's identity and payment to a CA. The CA verifies the certificate request and your identity, and then sends back a certificate for your Red Hat Linux Secure Web Server.

Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in production environments. See the section called Types of Certificates for more information on the differences between self-signed and CA-signed certificates.