Installation guide

ManualsBrandsRed Hat ManualsSoftwareNETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE

141

142

143

144

145

146

147

148

149

150

Chapter 14. Apache Secure Server Conﬁguration 141

mv /etc/httpd/conf/httpsd.crt /etc/httpd/conf/ssl.crt/server.crt

Then start your secure Web server with the command:

/sbin/service httpd start

For a secure server, you will be prompted to enter your password. After you type it in and

press [Enter], the server will start.

You should not need to get a new certiﬁcate, if you are upgrading from a previous version

of the secure Web server.

14.5. Types of Certiﬁcates

If you installed your secure Web server using the Red Hat Linux installation program, a

random key and a test certiﬁcate are generated and put into the appropriate directories.

Before you begin using your secure server, however, you will need to generate your own

key and obtain a certiﬁcate which correctly identiﬁes your server.

You need a key and a certiﬁcate to operate your secure Web server — which means that you

can either generate a self-signed certiﬁcate or purchase a CA-signed certiﬁcate from a CA.

What are the differences between the two?

A CA-signed certiﬁcate provides two important capabilities for your server:

• Browsers will (usually) automatically recognize the certiﬁcate and allow a secure connec-

tion to be made, without prompting the user.

• When a CA issues a signed certiﬁcate, they are guaranteeing the identity of the organiza-

tion that is providing the Web pages to the browser.

If your secure server is being accessed by the public at large, your secure Web server needs

a certiﬁcate signed by a CA, so that people who visit your website can rely that the website

is owned by the organization who claims to own it. Before signing a certiﬁcate, a CA veriﬁes

that the organization requesting the certiﬁcate was actually who they claimed to be.

Most Web browsers that support SSL have a list of CAs whose certiﬁcates they will automat-

ically accept. If a browser encounters a certiﬁcate whose authorizing CA is not in the list, the

browser will ask the user to choose whether to accept or decline the connection.

You can generate a self-signed certiﬁcate for your secure Web server, but be aware that a self-

signed certiﬁcate will not provide the same functionality as a CA-signed certiﬁcate. A self-

signed certiﬁcate will not be automatically recognized by users’ browsers, and a self-signed

certiﬁcate does not provide any guarantee concerning the identity of the organization that is

providing the website. A CA-signed certiﬁcate provides both of these important capabilities

for a secure server. If your secure server will be used in a production environment, you will

probably need a CA-signed certiﬁcate.

The process of getting a certiﬁcate from a CA is fairly easy. A quick overview is as follows:

1. Create an encryption private and public key pair.

2. Create a certiﬁcate request based on the public key. The certiﬁcate request contains

information about your server and the company hosting it.

3. Send the certiﬁcate request, along with documents proving your identity, to a CA. We

cannot tell you which certiﬁcate authority to choose. Your decision may be based on

your past experiences, or on the experiences of your friends or colleagues, or purely on

monetary factors.