httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Bell <kb...@houston.sl.slb.com>
Subject [users@httpd] About Certificates...
Date Thu, 23 Oct 2003 19:40:08 GMT
Hi Mike

Someone may have already told you what you need to know, but here's a little
more info.

If your version of software is Apache 1.3.xxx, drop back into your source
folder and 'make certificate'. I cannot swear this is true of Apache 2.0.

More than you probably want to know:

Use of certificates is all about 'trusting' who the information is coming
from. You must use a certificate (AFAIK) when setting up a server for https
use. Each user who visits your site will first be presented with a
certificate. If he trusts the certificate, nothing happens (as far as the
cert is concerned) and he gets into your site. If he does not trust your
certificate, then he gets a pop-up that lets him know something is amiss.
>From here he can chose to not proceed, to proceed this time (and be prompted
next time), to trust the certificate from now on (and not get a pop-up), and
in some instances, to trust all certificates that are signed by the CA that
signed this certificate.

Three things are checked (and may cause the pop-up):
 1) Do you trust the signer of this certificate
    or this particular certificate?
 2) Is the date for this cert valid?
 3) Does the name that your browser used to navigate
    to this system match the name on the cert?

The user can choose to trust the cert (or all certs from this CA) at pop-up
time, but if either of the other two are afowl, he will always get the
pop-up.

If you use this webserver in any official capacity, then you need a
certificate that matches the DNS name used to browse to the server and you
need to either have a cert that is already trusted (signed by one of the big
boys and therefore built in to the standard distribution of your browser),
or you have to get your users to trust your certificate or all certs signed
by your in-house CA.

If you intend to use it with the public, especially if you want to exchange
personal information, then you will need a certificate signed by an official
cert signer. This costs money. You can visit Verisign or Entrust (or your
choice) for info on how to create a CSR (certificate signing request).

If your operations are small and you don't want to pay for a cert, then you
can create your own CA and generate your own certs. O'Reilly's "Network
Security with OpenSSL" tells you the complete steps to do this with tools
that are in OpenSSL (which you likely already have). There are a few
commands you need to learn. The drawback to this is that you will need to
have all of your users 'Trust' your CA.

Rgds,

Ken Bell

To: Apache Users <users@httpd.apache.org>
From: Michael Scott <mscott@pyewacket.org>
Subject: Generating a new server certificate
Message-ID: <1066872315.3f972dfba0edb@mail.pyewacket.org>

I have Apache 2.0 installed on a RH9 box.
When I installed it, the system generated a certificate under the name of
localhost@localdomain.  I now have a fqdn for the server and would like to
create a new certificate.

The O'Reilly book describes this, but this doesn't look like what I've got.

I found A Makefile in /etc/httpd/conf, but none of the commands I've tried
have
been successful.

Would someone give me a "nudge" in the right direction?
TIA
----------------------
- Mike Scott
- mscott@pyewacket.org

------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message