If you’ve installed a secure Web server in Linux, you’re probably staring at your Web browser as it asks you to accept a certificate from this machine. You don’t remember generating a certificate, so you take a look at the details:
- The certificate belongs to localhosts.localdomain.
- The contact e-mail address is email@example.com.
- The organization is SomeOrganization.
- The organization unit is SomeOrganizationUnit.
- The address is SomeCity, SomeState.
This information is neither useful nor good business practice. If you’re running secure Web servers under a corporate (or even small business) heading, you’ll certainly want your certificates to be both specific and secure.
Of course, standard business practice involves using a CA (Certificate Authority)-signed certificate. These certificates are obtained by:
- Creating an encryption key pair (private and public).
- Creating a certificate request based on your public key.
- Sending the certificate request, along with documentation proving your identity (and your company’s).
- Installing the certificate (sent to you by the CA once it has verified you are who you say you are) into the proper directory.
- Restarting your Apache Web server.
Different companies require different information in order to verify your identity. For example, VeriSign requires your Dun & Bradstreet number, and Thawte requires proof of organizational name and right to a domain name.
Of course, you can generate your own keys and certificates within Linux. You won’t have all the frills that VeriSign offers, but you’ll have a secure server certificate to offer to customers. So, in this Daily Feature, we’ll walk through the process of creating a key and a certificate. If you’re interested in getting the benefits of a commercial company (like VeriSign) to handle your certificate, you can still get the CA-approved certificate and simply replace the one you’ve generated.
The prices range from $349.00 to $1,495 per year for a 128-byte encrypted certificate.
Generating a key
For this Daily Feature, we’ll use Red Hat 7.0—it’s the only Linux platform officially supported by VeriSign.
Before you create a certificate (or even send off for one), you have to generate an encryption key. This process is very simple. As root, cd to the /etc/httpd/conf directory and remove the test key and certificate (generated at installation) by using the commands:
With these files removed, you can now generate your key. In the same directory, run the command:
which will eventually ask you to enter a passphrase. You’ll use this passphrase every time you restart your secure server, so it’s critical that you remember what you’ve typed (and type carefully).
Generating a certificate request
If you’ve decided to get your certificate from a CA, you’ll want to generate a certificate request. To do so, run the following command (as root and in the same directory you’ve been working in):
You’ll be asked to supply the passphrase you created along with your key. Once you enter your passphrase, you’ll be required to enter some specific information, including:
- Country name
- State or province
- Organization unit
- Common name (either your full name or your server’s name)
- E-mail address
- Company name (optional)
Be sure you provide correct information. Some of the above information is critical. For example, for the common name you’ll want to enter the valid DNS name of your server (no aliases).
Once you’ve generated the request, you must send it to the CA of your choice. You’ll eventually receive your key, which you should name server.crt and place in /etc/httpd/conf/ssl.crt/.
Generating a self-signed certificate
A much quicker and cheaper way of getting a certificate is to generate it yourself. To do this, follow the steps outlined in the section “Generating a key.” Once you’ve generated your key, you must run (as root and in the /etc/httpd/conf directory):
You’ll be asked to enter the passphrase you created when you generated your key. Once you enter the proper passphrase, you’ll be asked to enter the same information as listed in the previous section (“Generating a certificate request”).
This new certificate will be automatically generated and placed in /etc/httpd/conf/ssl.crt for you.
Now that you’ve either received your certificate or generated your own, you should restart the Apache Web server in order for it to take effect. To do so, run (as root) the command:
You’ll be prompted for your passphrase once again.
Testing your secure server
Now that you have your certificate in place, point your browser to https://servername (where servername is the name of the server), and you’ll be asked to accept or decline your new certificate. In the case of a VeriSign certificate, you won’t receive this message since VeriSign certificates are typically accepted automatically.
In a world where e-commerce and secure Web transactions can make or break a company, it is smart to do things the right way. Whether you’re dealing with a certificate authority or generating your own, setting up a secure Web server in Linux is a simple and painless process.