Installation guide

ManualsBrandsRed Hat ManualsSoftwareNETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE

141

142

143

144

145

146

147

148

149

150

Chapter 14. Apache Secure Server Conﬁguration 143

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

to create your key. Then use this command:

chmod go-rwx /etc/httpd/conf/ssl.key/server.key

to make sure that the permissions are set correctly on your key.

After you use the above commands to create your key, you will not need to use a password

to start your secure Web server.

Caution

Disabling the password feature for your secure Web server is a security risk. We DO NOT recommend

that you disable the password feature for your secure Web server.

The problems associated with not using a password are directly related to the security main-

tained on the host machine. For example, if an unscrupulous individual compromises the

regular UNIX security on the host machine, that person could obtain your private key (the

contents of your server.key ﬁle). The key could be used to serve Web pages that will appear

to be from your Web server.

If UNIX security practices are rigorously maintained on the host computer (all operating

system patches and updates are installed as soon as they are available, no unnecessary or

risky services are operating, and so on), the secure Web server’s password may seem unnec-

essary. However, since your secure Web server should not need to be re-booted very often,

the extra security provided by entering a password is a worthwhile effort in most cases.

The server.key ﬁle should be owned by the root user on your system and should not be

accessible to any other user. Make a backup copy of this ﬁle and keep the backup copy in a

safe, secure place. You need the backup copy because if you ever lose the server.key ﬁle

after using it to create your certiﬁcate request, your certiﬁcate will no longer work and the

CA will not be able to help you. Your only option would be to request (and pay for) a new

certiﬁcate.

If you are going to purchase a certiﬁcate from a CA, continue to Section 14.7. If you are

generating your own self-signed certiﬁcate, continue to Section 14.8.

14.7. Generating a Certiﬁcate Request to Send to a CA

Once you have created a key, the next step is to generate a certiﬁcate request which you will

need to send to the CA of your choice. Type in the following command:

make certreq

Your system will display the following output and will ask you for your password (unless

you disabled the password option):

umask 77 ; \

/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key

-out /etc/httpd/conf/ssl.csr/server.csr

Using configuration from /usr/share/ssl/openssl.cnf

Enter PEM pass phrase: