Red Hat Linux 7.0: The Official Red Hat Linux Reference Guide | ||
---|---|---|
Prev | Chapter 11. Obtaining a Certificate for your Secure Server | Next |
First, you'll need to remove the key and certificate that were generated during the installation. cd to the /etc/httpd/conf directory.
Use the following commands to remove the two files:
rm ssl.key/server.key |
and
rm ssl.crt/server.crt |
The first step towards creating a certificate is to create your own random key. Type in the following command, which will generate your key:
make genkey |
Your system will display a message similar to the following:
umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key Generating RSA private key, 1024 bit long modulus .......++++++ ................................................................++++++ e is 65537 (0x10001) Enter PEM pass phrase: |
You now need to type in a password. For best security, your password should be at least eight characters, should include numbers or punctuation, and should not be a word in a dictionary. Also, remember that your password is case sensitive.
Please Note | |
---|---|
You will need to remember and enter this password every time you start your Red Hat Linux Secure Web Server, so don't forget it. |
You will be asked to re-type the password, to verify that it's correct. Once you've typed it in correctly, a file called server.key, containing your key, will be created.
Note that if you don't want to type in a password every time you start your Red Hat Linux Secure Web Server, you will need to use the following two commands instead of make genkey to create the key. Both of these commands should be typed in entirely on one line.
Use the following command:
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key |
to create your key. Then use this command:
chmod go-rwx /etc/httpd/conf/ssl.key/server.key |
to make sure that the permissions are set correctly on your key.
After you use the above commands to create your key, you will not need to use a password to start your Red Hat Linux Secure Web Server.
Caution | |
---|---|
Disabling the password feature for your secure Web server is a security risk. We DO NOT recommend that you disable the password feature for your Red Hat Linux Secure Web Server. |
The problems associated with not using a password are directly related to the security maintained on the host machine. For example, if an unscrupulous individual compromises the regular UNIX security on the host machine, that person could obtain your private key (the contents of your server.key file). The key could be used to "spoof" Web pages that will appear to be coming from your site.
If UNIX security practices are scrupulously being followed for the host computer (i.e., all operating system patches and updates are installed as soon as they're available, no unnecessary or risky services are operating, and so on), the Red Hat Linux Secure Web Server's password may seem unnecessary. However, since your Red Hat Linux Secure Web Server shouldn't need to be re-booted very often, the extra security provided by entering a password is a worthwhile effort in most cases.
The server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate will no longer work and the CA will not be able to help you. Your only option would be to request (and pay for) a new certificate.
If you're going to purchase a certificate from a CA, continue to the section called Generating a Certificate Request to Send to a CA. If you're generating your own self-signed certificate, continue to the section called Creating a Self-Signed Certificate.