Several special files are required by the server for it to operate in secure mode. During the course of the build, you probably made a server key file and a certificate using the (patched) makefile in the Apache source directory. However, you can make these files manually at a later time, and some of them require special processing by a trusted agency (a Certificate Authority) for your Web site to be used correctly by the general public.
The following files are used for server security:
A server key fileThis file contains a public and private key that are used by the server for encryption and decryption operations.
A certificate fileThis file specifies that the key and the Web site are run by a certain organization. If this certificate is signed by a trusted agency, the user can trust that the Web site is indeed run by the indicated organization.
A certificate-signing requestThis file contains information from the certificate, as well as information about the key. It is intended to be sent to a trusted agency (called a Certificate Authority) for signing.
All these are made when you run the command make certificate in the Apache source directory. Each of these files is described in greater detail in the sections that follow.
The Public/Private Key Pair
The public/private key pair is saved in the file server.key by default. This file contains the keys that are used to perform encryption by the server.
The private key of the public/private key pair needs to be protected at all times. For this reason, during the creation of the key, you are asked to enter a pass phrase to encrypt the key file. When the key file is encrypted, you are required to enter this pass phrase every time that the server starts for the server to access the file. Although this can be annoying, it is very dangerous to leave the private key unencrypted on the disk without a pass phrase.
Use the SSLCertificateKeyFile directive in the server configuration file httpd.conf to specify the key file that is to be used for secure operations.
The Server Certificate
The server certificate file contains information about the organization that runs the Web site. The server certificate file is transmitted to the client when a secure session is set up, and the client tries to use it to verify that the site is legitimate. This file is sometimes called an X.509 file because that is the name of the standard that defines the format used for this file.
For the certificate to be accepted by the client, it must be digitally signed by a Certificate Authority (CA). Each major browser that supports SSL has a list of trusted Certificate Authorities whose signatures it accepts. When a browser sees a certificate signed by a CA that it does not know, it usually provides the information about the CA and the certificate to the user and then asks whether it is to proceed. It is then up to the user to determine whether she can trust that the site to which she is connecting is valid.
The certificate file to use is specified in the server configuration file using the SSLCertificateFile directive.
The Certificate-Signing Request
For your site to be trusted by clients, you need to have your certificate signed by a trusted agency that operates as a Certificate Authority. To have the certificate signed by a Certificate Authority, create a certificate-signing request (CSR) and send it to the authority with some documentation. This costs anywhere from $250 to $1,000 per year.
Several agencies act as Certificate Authorities, which involves verifying the information in the certificate and digitally signing it. The price that they charge for their services is in exchange for the cost of researching the information in your CSR and taking on the liability of certifying your Web site.
The following are some Certificate Authorities:
CertiSign (Brazilian, part of VeriSign)
IKS GmbH (German)
Thawte (part of VeriSign)
All of these companies accept certificate-signing requests generated by the mod_ssl package, for use with Apache with mod_ssl. When you make your server key file and certificate, you also make a certificate-signing request. The information required for this request must match exactly the company name, registered domain name, and other details that are required by the Certificate Authority for the CA to process your request. Also, the file is automatically encoded in a special format. Detailed information on pricing instructions for creating the CSR and submitting it and the required accompanying documentation to the Certificate Authority is available on the Web sites of the respective companies.
To test your server, or to run your server internally in your organization, you can act as your own Certificate Authority and self-sign your certificate. This is also referred to as self-certifying. The browsers that connect to your server won't recognize your signature as one from a valid Certificate Authority, but users can manually accept the certificates on their browsers after seeing an error message.
For internal use, you can eliminate the error message on the client by adding a Certificate Authority file to the client's browser. The steps involved in doing this are beyond the scope of this section, but see the online mod_ssl documentation for more information.
After you receive a certificate signed by a real Certificate Authority, you substitute it for the self-signed one by copying it over the old file or by modifying the value of the SSLCertificateFile directive.