If you installed your secure server from the RPM package
provided by Red Hat, a random key and a test certificate are
generated and put into the appropriate directories. Before you
begin using your secure server, however, you must generate your own
key and obtain a certificate which correctly identifies your
server.
You need a key and a certificate to operate your secure server
— which means that you can either generate a self-signed
certificate or purchase a CA-signed certificate from a CA. What are
the differences between the two?
A CA-signed certificate provides two important capabilities for
your server:
-
Browsers (usually) automatically recognize the certificate and
allow a secure connection to be made, without prompting the
user.
-
When a CA issues a signed certificate, they are guaranteeing the
identity of the organization that is providing the webpages to the
browser.
If your secure server is being accessed by the public at large,
your secure server needs a certificate signed by a CA so that
people who visit your website know that the website is owned by the
organization who claims to own it. Before signing a certificate, a
CA verifies that the organization requesting the certificate was
actually who they claimed to be.
Most Web browsers that support SSL have a list of CAs whose
certificates they automatically accept. If a browser encounters a
certificate whose authorizing CA is not in the list, the browser
asks the user to either accept or decline the connection.
You can generate a self-signed certificate for your secure
server, but be aware that a self-signed certificate does not
provide the same functionality as a CA-signed certificate. A
self-signed certificate is not automatically recognized by most Web
browsers and does not provide any guarantee concerning the identity
of the organization that is providing the website. A CA-signed
certificate provides both of these important capabilities for a
secure server. If your secure server is to be used in a production
environment, a CA-signed certificate is recommended.
The process of getting a certificate from a CA is fairly easy. A
quick overview is as follows:
-
Create an encryption private and public key pair.
-
Create a certificate request based on the public key. The
certificate request contains information about your server and the
company hosting it.
-
Send the certificate request, along with documents proving your
identity, to a CA. Red Hat does not make recommendations on which
certificate authority to choose. Your decision may be based on your
past experiences, on the experiences of your friends or colleagues,
or purely on monetary factors.
Once you have decided upon a CA, you need to follow the
instructions they provide on how to obtain a certificate from
them.
-
When the CA is satisfied that you are indeed who you claim to
be, they provide you with a digital certificate.
-
Install this certificate on your secure server and begin
handling secure transactions.
Whether you are getting a certificate from a CA or generating
your own self-signed certificate, the first step is to generate a
key. Refer to Section
26.6 Generating a Key for instructions.
