Obtaining or Creating a Certificate

SSL uses two keys on each side of the connection: a public key and a private key.

Each of these keys can be used to encrypt data such that its paired key can decrypt it. Each side gives its public key to the other side, which uses its partner's public key to encrypt data. Each side then uses its private key to decrypt data. Because only a public key's matching private key can decrypt the data, the sender can be certain that only the intended recipient can decrypt the data.

The use of keys does not, by itself, ensure that the data's sender is the person or computer claimed. Hypothetically, a miscreant could fake transmissions from the sender using the recipient's public key. SSL uses certificates as a way of verifying the other side's identity. Certificates are digital codes used to create keys. The sender's identity is verified by using certificates that are issued and "signed" by one of a handful of certificate authorities (CAsJ. Every modern web browser has a list of CA signatures, and so can verify that a website's keys have been signed by an appropriate CA and that the website is, therefore, what it claims to be. This system isn't absolutely perfect, but it's reasonably reliable.

Note Secure web servers normally need certificates, but web browsers don't normally use them. A prototypical secure web server processes financial transactions, and for these, customers are concerned about the identity of the merchant to prevent exploitation. Positively identifying customers is less critical in this application, because a web merchant normally obtains a credit card number, physical address, and other identifying information. To be sure, fraudulent credit card use is a problem; however, without additional (and potentially intrusive) infrastructure linking various databases, personal certificates probably would not eliminate such abuses.

In order to deliver secure content, you need a certificate. For many purposes, the best way to do this is to buy one from a CA. A list of about two dozen CAs is available at http://www.apache-ssl.Org/#Digital Certificates. Before obtaining a certificate from a CA, you should research the companies' policies and determine how widely recognized their certificate signatures are. There's no point in buying a cut-rate certificate if your users' browsers generate alerts such as the one shown in Figure 23.2. You could create your own certificate that would create the same result.

Creating your own certificate makes sense if you don't care about authenticating the identity of the server or if this authentication is only required on a few systems. For instance, if you want to encrypt certain web server accesses on a small local network, or even between offices that are geographically separated, you don't need to go to a

CA. You can tell your web browsers to accept your own locally generated certificate. Of course, telling your users to accept your personal certificate but not to accept suspicious certificates from other sites may be confusing.

Some Apache SSL extension packages automatically run a script that creates a new certificate when you install the package. If yours doesn't, check the package files for a script or instructions on doing the job. Unfortunately, precisely how you do this varies from one package to another, and given the number of distributions and number of packages, I can't describe all the possibilities. As an example, though, Mandrake 9.1's apache2-mod_ssl ships with a script that does the job, and you can launch it as follows:

# /usr/lib/ssl/apache2-mod_ssl/gentestcrt.sh

This script will ask a series of questions, such as your geographical location, company name, and e-mail address. This information may be presented to the user when the browser complains about the unknown certificate, as shown in Figure 23.2. For a small site with local users, your exact answers to these questions are largely unimportant.

Whether you obtain your certificate from a CA or generate it locally, you must make it available to Apache. Typically, this is done by copying the certificate to a special certificate directory somewhere in /etc, such as /etc/ssl/apache. If you use a script to generate a certificate, the script may do this automatically, or it may place the certificate in another directory, such as the main Apache configuration directory. The certificate consists of two files: a certificate file (which often has a .crt extension) and a key (which often has a .key extension).

Warning Be sure you protect the certificate and key from prying eyes. The default configuration when utilities create these files uses root ownership and 0600 permissions to accomplish this task. If you copy the files, be sure these features are preserved. A miscreant who copies these files can impersonate your (formerly) secure web server!

0 0

Post a comment