■■ . ' j'/- r r*1"!; ',-'( Because of the fluid nature of the certificate business, some of these companies may M^^mis&i&SnElC no( |je ¡n business when you read this, while others may have come into existence. To get a more current list of certificate authorities, from your Firefox browser select Edit C> Preferences. From the Preferences window that appears, select Advanced C> Encryption, then select the View Certificates button. From the Certificate Manager window that appears, refer to the Authorities tab to see Certificate Authorities from which you have received certificates.
Each of these certificate authorities has gotten a chunk of cryptographic code embedded into nearly every Web browser in the world. This chunk of cryptographic code allows a Web browser to determine whether or not an SSL certificate is authentic. Without this validation, it would be easy for crackers to generate their own certificates and dupe people into thinking they are giving sensitive information to a reputable source.
Certificates that are not validated are called self-signed certificates. If you come across a site that has not had its identity authenticated by a trusted third party, your Web browser will display a message similar to the one shown in Figure 12-5.
A pop-up window alerts you when a site is not authenticated.
This does not necessarily mean that you are encountering anything illegal, immoral, or fattening. Many sites opt to go with self-signed certificates, not because they are trying to pull a fast one on you, but because there may not be any reason to validate the true owner of the certificate, and they do not want to pay the cost of getting a certificate validated. Some reasons for using a self-signed certificate include:
■ The Web site accepts no input. In this case, you as the end user, have nothing to worry about. There is no one trying to steal your information, because you aren't giving out any information. Most of the time this is done simply to secure the Web transmission from the server to you. The data in and of itself may not be sensitive, but, being a good netizen, the site has enabled you to secure the transmission to keep third parties from sniffing the traffic.
■ The Web site caters to a small clientele. If you run a Web site that has a very limited set of customers, such as an Application Service Provider, you can simply inform your users that you have no certificate signer. They can browse the certificate information and validate it with you over the phone or in person.
■ Testing. It makes no sense to pay for an SSL certificate if you are testing only a new Web site or Web-based application. Use a self-signed certificate until you are ready to go live.
To create a third-party validated SSL certificate from a Fedora Linux system, you must first start with a Certificate Service Request (CSR). To create a CSR, do the following on your Web server:
# cd /etc/httpd/conf
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
You will now be asked to enter a password to secure your private key. This password should be at least eight characters long, and should not be a dictionary word or contain numbers or punctuation. The characters you type will not appear on the screen, to prevent someone from shoulder surfing your password.
Enter pass phrase:
Enter the password again to verify.
Verifying - Enter pass phrase:
At this point, it is time to start adding some identifying information to the certificate that the third-party source will later validate. Before you can do this, you must unlock the private key you just created. Do so by typing the password you typed for your pass phrase. Then enter information as you are prompted. An example of a session for adding information for your certificate is shown here:
Enter pass phrase for /etc/httpd/conf/ssl.key/server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]: Connecticut Locality Name (eg, city) [Newbury]: Mystic
Organization Name (eg, company) [My Company Ltd]:Acme Marina, Inc. Organizational Unit Name (eg, section) :InfoTech
To complete the process, you will be asked if you want to add any extra attributes to your certificate. Unless you have a reason to provide more information, you should simply press Enter at each of the following prompts to leave them blank.
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Once your CSR has been created, you need to send it to a signing authority for validation. The first step in this process is to select a signing authority. Each signing authority has different deals, prices, and products. Check out each of the signing authorities listed in the "Using Third-Party Certificate
Signers" section earlier in this chapter to determine which works best for you. The following are areas where signing authorities differ:
■ Credibility and stability
■ Browser recognition
■ Certificate strength
After you have selected your certificate signer, you have to go through some validation steps. Each signer has a different method of validating identity and certificate information. Some require that you fax articles of incorporation, while others require a company officer be made available to talk to a validation operator. At some point in the process, you will be asked to copy and paste the contents of the CSR you created into the signer's Web form.
Was this article helpful?
Although we usually tend to think of the digital camera as the best thing since sliced bread, there are both pros and cons with its use. Nothing is available on the market that does not have both a good and a bad side, but the key is to weigh the good against the bad in order to come up with the best of both worlds.