Installation guide

ManualsBrandsRed Hat ManualsSoftwareNETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE

131

132

133

134

135

136

137

138

139

140

140 Chapter 14. Apache Secure Server Conﬁguration

A secure server uses a certiﬁcate to identify itself to Web browsers. You can generate your

own certiﬁcate (called a "self-signed" certiﬁcate) or you can get a certiﬁcate from a Certiﬁcate

Authority or CA. A certiﬁcate from a reputable CA guarantees that a website is associated

with a particular company or organization.

Alternatively, you can create your own self-signed certiﬁcate. Note, however, that self-signed

certiﬁcates should not be used in most production environments. Self-signed certiﬁcates will

not be automatically accepted by a user’s browser — the user will be asked by the browser

if they want to accept the certiﬁcate and create the secure connection. See Section 14.5 for

more information on the differences between self-signed and CA-signed certiﬁcates.

Once you have a self-signed certiﬁcate or a signed certiﬁcate from the CA of your choice,

you will need to install it on your secure Web server.

14.4. Using Pre-Existing Keys and Certiﬁcates

If you already have an existing key and certiﬁcate (for example, if you are installing the se-

cure Web server to replace another company’s secure Web server product), you will probably

be able to use your existing key and certiﬁcate with the secure Web server. In the following

two situations, you will not be able to use your existing key and certiﬁcate:

• If you are changing your IP address or domain name — You can not use your old key and

certiﬁcate if you are changing your IP address or domain name. Certiﬁcates are issued for

a particular IP address and domain name pair. You will need to get a new certiﬁcate if you

are changing your IP address or domain name.

• If you have a certiﬁcate from VeriSign and you are changing your server software — VeriSign is a

widely used CA. If you already have a VeriSign certiﬁcate for another purpose, you may

have been considering using your existing VeriSign certiﬁcate with your new secure Web

server. However, you will not be allowed to, because VeriSign issues certiﬁcates for one

particular server software and IP address/domain name combination.

If you change either of those parameters (for example, if you previously used another

secure Web server product and now you want to use the secure Web server), the VeriSign

certiﬁcate you obtained to use with the previous conﬁguration will not work with the new

conﬁguration. You will need to obtain a new certiﬁcate.

If you have an existing key and certiﬁcate that you can use, you will not have to generate a

new key and obtain a new certiﬁcate. However, you may need to move and rename the ﬁles

which contain your key and certiﬁcate.

Move your existing key ﬁle to:

/etc/httpd/conf/ssl.key/server.key

Move your existing certiﬁcate ﬁle to:

/etc/httpd/conf/ssl.crt/server.crt

After you have moved your key and certiﬁcate, skip to Section 14.9.

If you are upgrading from the Red Hat Secure Web Server versions 1.0 and 2.0, your old key

(httpsd.key) and certiﬁcate (httpsd.crt) will be located in /etc/httpd/conf/. You will

need to move and rename your key and certiﬁcate, so that the secure Web server can use

them. Use the following two commands to move and rename your key and certiﬁcate ﬁles:

mv /etc/httpd/conf/httpsd.key /etc/httpd/conf/ssl.key/server.key