Securing your apache server:

[Stephen Dawes]

Here is an article that some of you may be interested.


The Thawte Guide to

Securing Your Apache Web Server with a Thawte Digital Certificate

Contents

Overview

Research

System requirements

Generate your private key

Generate your Certificate Signing Request

Using a test certificate
Request a "trusted" certificate

Download your certificate

Install your certificate

Securing virtual hosts

Useful URLs

What role does Thawte play?

Conclusion

Contact Thawte

1. Overview

In this document you'll find out how to purchase, install and use a Thawte
SSL digital certificate on your Apache web server. We will also touch on the
role of Thawte as a trusted third party.

2. Research

The latest Web Server Survey released by
E-Soft
reveals that the most popular web server in use today is the Apache Server.
Apache serves over 58% of the market. Trailing the Apache server are the
Microsoft,
Netscape, WebSite, 4D WebSTAR Server Suite, and Zeus web servers. For more
detailed information on this survey please see:
http://www.securityspace.com/s_survey/data/index.html

Thawte SSL certificates and SuperCerts are compatible with all of the above
servers.

3. System requirements

Before you can install an SSL certificate on your Apache web server you must
have installed the required SSL components. You will need to install
OpenSSL,
as well as either ModSSL or Apache-SSL. OpenSSL and its libraries provide
the SSL back-end, while ModSSL or Apache-SSL provide the interface between
Apache
and OpenSSL. ModSSL and Apache-SSL are fairly similar. Thawte makes no
recommendation between the two, and it's up to you which one you choose.

Apache users should find the following web sites useful:
Apache is available at
www.apache.org
ModSSL is available at
www.modssl.org
Apache-SSL is available at
www.apache-ssl.org
OpenSSL is available at
www.openssl.org

4. Generate your Private Key

Use the "openssl" binary to generate your private key. This key will be kept
on your web server so you may want to encrypt it. If you encrypt it, you
should
be aware that you will have to type in the pass-phrase for that key every
time you restart your secure server. The private key can be generated with
or
without cryptographic protection as follows:

With encryption: "openssl genrsa -des3  -rand /dev/urandom -out
www.domain.com.key 1024"

Without encryption: "openssl genrsa -rand /dev/urandom -out
www.domain.com.key 1024"

If you get stuck or need  further options, please go to: "openssl
genrsa-help"

5. Generate your Certificate Signing Request

You'll need to send Thawte a CSR (Certificate Signing Request) before your
certificate can be issued. To generate the CSR, use "openssl" and your
private
key as follows:

"openssl req-new-key www.domain.com.key-out
www.domain.com.csr".

This step creates a CSR that has the same "modulus" as the private key.

6. Using a test certificate

To familiarize yourself with the workings of a Thawte certificate on an
Apache Server, you can set up a test certificate on your server using a
self-signed
certificate or a Thawte test certificate:

6.1. Self-signed test certificate
If you use a self-signed test certificate, your CSR will be signed by your
own private key as follows: "openssl req -x509 -key www.domain.com.key -in
www.domain.com.csr-out
www.xxx.com.crt"

6.2. Thawte test certificate
You can get a Thawte test certificate  online from Thawte at:
https://www.thawte.com/cgi/server/test.exe.
Test certificates are intended for you to test your server configuration
before you buy a "trusted" certificate from a CA (Certificate Authority).

Paste in your CSR (Certificate Signing Request) into the test certificate
request.Within minutes, you should receive an "un-trusted" test certificate
via
mail. Save the test certificate to a file called "www.domain.com.crt". You
can get your browser to "trust" that test certificate by clicking on
http://www.thawte.com/servertest.crt
and installing the Test Certificate CA root.

Before you can use the test certificate you will have to configure your
Apache web server properly. To do this, edit the "httpd.conf" file so that
the web
server points to the private key and test certificate. To do this, you will
use the "SSLCertificateKeyFile" and "SSLCertificateFile" directives. Enable
SSL and make sure that the server is listening on port 443 with the "Listen
443" directive. Once you have done this, you can restart your server and
connect
to it on
https://www.domain.com/

7. Request a "trusted" certificate

Thawte SSL certificates and SuperCerts are requested online from Thawte.
During the certificate request process, you will be asked to copy and paste
your
CSR (Certificate Signing Request) into a text area on the online enrollment
form. Please ensure that you are submitting the correct CSR, if you have
generated
more than one (you can check your CSR as follows: "openssl req-text-noout-in
csrfilename.csr".

You will have to provide all the requested information during the enrollment
process, and send us documentation proving your, or your company's, identity
(a company registration certificate for instance). You can view detailed
instructions for obtaining a Thawte SSL certificate at:
https://www.thawte.com/certs/server/request.html

The enrollment process for SuperCerts is the same as for SSL certificates.
During the process you will just need to check the box that indicates that
you
would like a SuperCert. You will also have to generate a 1024-bit key, and
make sure your Apache Server is 128-bit enabled.

Once you have completed the online request process, Thawte will take a
number of steps to verify your identity and the other details you provided
in the
CSR. Thawte performs a considerable amount of background checking before it
issues the certificate. As a result, it could take a few days to verify your
company identity and details, and issue the certificate. During that period,
you can track the progress of your request on your personal status page at
http://www.thawte.com/cgi/server/status.exe

SuperCerts are SSL certificates that allow "international" browsers to
"step-up" to 128-bit encryption. Internet Explorer 5.01, Netscape
Communicator 4.7
and later browsers recognize Thawte's SuperCerts. 128-bit encryption is
regarded as being impossible to "crack". For more information on SuperCerts
please
see

http://www.thawte.com/certs/server/128bit/contents.html

8. Download your certificate
Once the certificate has been issued, you will be able to download it from
your status page by clicking on the "Fetch Certificate" button (which only
appears
once the certificate has been issued).

9. Install your certificate
Once the certificate has been issued, you can install it by simply copying
it and pasting it into a file on your server. The certificate is stored in
Thawte's
database indefinitely, and can be downloaded again at any stage. For
consistency, you should probably save it to a file called "
www.domain.com.crt".

If you generated a self-signed certificate or requested a test certificate
earlier in the process and you configured your web server to use that
test/self-signed
certificate, then you do not need to make any changes to your configuration
file. You can simply copy the real ("trusted") certificate file over the
test/self-signed
certificate.

If you did not configure your server to look for the self-signed test
certificate, then you'll need to update your "httpd.conf" file to look for
the new
certificate. Open the "httpd.conf" configuration file and make sure that you
have the "SSLCertificateFile" and "SSLCertificateKeyFile" directives
associated
with the correct file paths. For example, if you have your certificate in
the "/usr/local/ssl/certs/" directory and your private key in the
"/usr/local/ssl/private/"
directory, then you will have the following in your httpd.conf file:

SSLCertificateFile /usr/local/ssl/certs/www.domain.com.crt

SSLCertificateKeyFile /usr/local/ssl/private/www.domain.com.key

You will also need to make sure your Apache Server is listening on port 443
and "switch on" SSL with the "SSLEngine on" or SSLEnable directives in
ModSSL
or Apache-SSL respectively.

10. Securing virtual hosts

If you have secure virtual hosts, each will need its own IP, as SSL does not
support name-based virtual hosts.

11. Useful URLs

Common problems experienced with Apache are dealt with in our FAQs:
http://www.thawte.com/support/server/apachessl.html

You'll find a key generation guide for Apache at:
http://www.thawte.com/certs/server/keygen/apachessl.html

The certificate enrollment process for SSL and SuperCerts begins at:
https://www.thawte.com/certs/server/request.html

How to generate a test certificate:
https://www.thawte.com/cgi/server/test.exe

Installing the test certificate CA root into your browser:
http://www.thawte.com/servertest.crt

12. What role does Thawte play?

Thawte Consulting issues server certificates to organizations and
individuals worldwide. Thawte verifies that the company ordering the
certificate is a
registered organization and that the person in the company who orders the
certificate is authorized to do so.

Thawte also checks that the company in question owns the relevant domain.
Thawte digital certificates interoperate smoothly with Apache and the latest
software
from Microsoft and Netscape, so you can rest assured that your purchase of a
Thawte Server Certificate will give your customers confidence in your system
and integrity; they will feel secure about transacting with you online.

13. Conclusion
Apache web servers, together with Apache-SSLor ModSSL provide an excellent
platform on which to base an e-commerce website, and Thawte certificates
provide
the necessary security.

14. Contact
 Thawte

server/contents
guides/try
guides/pdf

© Thawte Consulting 2001,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 6076 bytes
Desc: not available
URL: <http://linux-speakup.org/pipermail/speakup/attachments/20010509/2c5a8767/attachment.bin>