Professional Documents
Culture Documents
http://www.well.com/~btanaka/writing/samples/se...
This article originally appeared in the April 1998 issue of Sys Admin Magazine.
1 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
SSL-enabled web servers must have a server certificate. Roughly stated, a server certificate is a form of digital identification and is issued by a Certificate Authority (CA). A server certificate requires a key pair. In "public key cryptography" (which SSL uses) there are two digital keys: a public and a private key. Together they form a key pair. What is encrypted with one key only the other can decrypt. As its name implies, the public key can be made publicly available. The private key must remain secret. To summarize: SSL is intended to increase security between web clients and web servers and you need a server certificate to use SSL. To acquire a server certificate you need to: Generate a key pair and Certificate Signing Request (CSR) on your server Submit the CSR to a Certificate Authority (CA) Install the server certificate Enable SSL on your web server I will explain these steps in the remainder of this article.
2 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
3 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
will need to revoke your certificate and start over. Next we'll create the CSR.
4 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
Organizational Unit (You can use this field to further distinguish the group that is using the certificate. For instance, "Online Commerce Division" or "Information Services". Choose wisely; this information will be a part of your certificate and is viewable by client-side users.) Locality (Your city. In my case it would be Mountain View.) State or Province (Your state. In my case it would be California. Note that you should not abbreviate.) Country (Use the 2-character ISO format country code. Mine is US.) For VeriSign: Your server software vendor (In this example it would be Netscape.) Challenge Phrase (Pick a phrase that's easy to remember but hard for someone else to guess. You'll use this if you need to request VeriSign to revoke the certificate in the future.) Contact information (This can be a bit tricky. You need three contacts: a technical contact, an organizational contact, and a billing contact. The technical contact must be authorized to maintain the server. In most cases this will be you. The organizational contact must be an employee of your organization and be "authorized to make binding agreement" to Verisign's legal agreement. This person should be different from the technical contact. The billing contact person will receive invoices and can be the same person as either of the other two contacts.) How you will pay for the Digital ID (Credit card, purchase order, or check. Credit card is the fastest.) Your Dun & Bradstreet D-U-N-S Number
5 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
(This optional item also speeds up your order with Verisign as they use it to verify your corporate identity.) Now that you've collected all of the above information, you are ready to generate your CSR. As in the case of the key pair generation, your web server software should provide a way to generate the CSR. Let's look at an example.
6 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
Server. This is useful if you are submitting, say, to an in-house CA using that particular software, but that isn't the case in this example. What I really want is to output the request to a file. So, in order to get the file, I select "CA email address", but I fill in the address field with my own address. In this case, btanaka@intuit.com. When I'm done with this form, the CSR will come straight to me. 6. In the next step, select the alias you created when you generated the key pair and enter the password you defined earlier. 7. Lastly, fill in the remaining fields with the information you gathered beforehand (e.g. your name, phone number, server's common name, et cetera). 8. When you've made sure the values are correct, click on the OK button at the bottom of the page. A subsequent page will ask you to verify that the information is correct. 9. Since I specified my email address as the destination, I will receive the CSR in my mailbox. I'll save it to a file for use in the next section.
7 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
VeriSign provides a web front-end to their CSR submission procedure. Here's how to use it: 1. Aim your trusty web browser at http://digitalid.verisign.com. This is the main page of the VeriSign Digital ID Center. From this page you can apply for a digital ID, manage existing ID's, check on the status of your request, check the validity of an ID, et cetera. 2. Click on Enroll. 3. In the Organizations column, click on Web Servers. 4. Choose the statement that best describes you. In this example, "I want a Secure Server Digital ID to run SSL on my server". 5. Now select the proper server software vendor. In this example, I'll choose "Netscape" and on the next page I'll choose the correct Netscape product. 6. The next page gives you an overview of the process. Part of the page describes what information you should have beforehand. Since you've already gathered all of the information you're ready to go. It would be wise to read over this page anyway, however, since it may contain important information that was not available or required at the time this article was written. Click on the Begin button. 7. Ah, at last you're ready to submit the CSR. Open the mail message with the CSR in it. A CSR looks like this:
-----BEGIN NEW CERTIFICATE REQUEST----MIIBJTCB0AIBADBtMQswCQYDVQQGEwJVUzEQMA4GA1UEChs4lBMHQXJpem9uYTEN A1UEBxMETWVzYTEfMB0GA1UEChMWTWVs3XbnzYSBDb21tdW5pdHkgQ29sbGVnZTE A1UEAxMTd3d3Lm1jLm1hcmljb3BhLmVkdTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYC QQDRNU6xslWjG41163gArsj/P108sFmjkjzMuUUFYbmtZX4RFxf/U7cZZdMagz4I MmY0F9cdpDLTAutULTsZKDcLAgEDoAAwDQYJKoZIhvcNAQEEBQADQQAjIFpTLgfm BVhc9SQaip5SFNXtzAmhYzvJkt5JJ4X2r7VJYG3J0vauJ5VkjXz9aevJ8dzx37ir 3P4XpZ+NFxK1R= -----END NEW CERTIFICATE REQUEST-----
8. Copy the CSR and paste it in the edit box provided. 9. The next page will show the values of the fields you filled in when you generated the CSR. Double check them.
8 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
10. Fill out the rest of the fields with the information you gathered beforehand. When you're done filling out the necessary forms you will need to wait for the CA to verify your information. The CA may contact you by phone to make last minute verifications before releasing your certificate. When all is in order, the server certificate will be issued to you. Usually it is sent via email to the address you specified earlier. When you receive it, you are then ready to install the certificate on your server and enable SSL.
Example of Installing the Server Certificate and Enabling SSL using Netscape Enterprise Server
Again, this example uses Netscape Enterprise Server 3.0 and additional information is available in the Netscape Enterprise documentation. 1. Use your web browser to connect to the Server Administration page. In my example I would connect to http://gfibbers.intuit.com:9999. (Use the port you specified as the administrative port when you originally installed your server.) 2. Choose Keys & Certificates. And from that page, choose Install Certificate. 3. A form will be presented to you. On this form, specify whether this is a new certificate or a renewal of an existing certificate. In the example, I'm applying for a
9 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
new one, so I'll check that radio box. 4. Select This Server. 5. Select Message Text (with headers). 6. Paste the certificate issued to you by the CA in the edit box. Make sure that the text of the certificate is not mangled in any way. I once had trouble with spaces appended to each line. If the text is corrupted, the process will fail. Also, be sure you've included the "Begin Certificate" and "End Certificate" lines. 7. Select the alias you created when you generated the key pair originally. 8. Click on OK. 9. You will be asked whether or not you want to add the certificate. Click on Add. Now the certificate will be stored in the file /alias/-cert.db. Since, in this example, my alias is "gfibbers", my certificate will be stored in /alias/gfibbers-cert.db. Now that the certificate is installed, you can proceed to the next step and turn on SSL. 1. Go back to the main Server Administration page and click on Admin Preferences. 2. Click on Encryption On/Off. 3. Use the radio button to turn encryption on. 4. Select the alias you created earlier. In this example, I'll select "gfibbers". 5. Click on OK. You can now set any security preferences you want. 6. When you're done, you must stop and start the web server. Remember that you will be prompted for the key pair password when you try to start it. (See? I really did mean that you'll want to remember your password!) Now that you have enabled SSL, users must use https instead
10 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
of http to access your server. For instance, instead of http://gfibbers.intuit.com they will have to use https://gfibbers.intuit.com. Also note that the standard port for SSL is 443. If you specified port 443, then users do not need to specify it in the URL since it is assumed. But, if you chose some other port, then they will need to specify the port in the URL. For instance, if I chose port 4001, then they will need to use https://gfibbers.intuit.com:4001 to access the site.
Finishing Up
You may wish to change the parameters for SSL. For instance, you can specify which version of SSL to use (version 2 or version 3 at the time of this writing), specify which cipher suites to use, and so on. Consult your web server software vendor's documentation for more details. After turning on SSL, I like to test the web server by comparing browser access via http and https URLs. When you successfully load a page via SSL, use your browser to view the certificate you installed. For instance, in Netscape Navigator you can select Page Info under the View menu and the lower pane in the subsequent window will show the certificate info including the length of the key, the distinguishing information about the server and the organization that controls it, who issued the certificate, the range of dates during which the certificate is valid, et cetera. That reminds me, certificates have a validity date range. Before the starting date and after the ending date the certificate is not valid, and client software should reject it. Usually the operational period is one year, but it may be longer or shorter. Because of this, add another item to your ongoing maintenance list: certificate renewal. Find out how your CA's renewal process works and be prepared to renew well in advance of the certificate's expiration date. Your web server is now SSL enabled. And since it never hurts to know more about the technology you manage, I list the following resources for further reading. For Further Reading:
11 of 12
01/19/2012 02:40 PM
http://www.well.com/~btanaka/writing/samples/se...
Netscape's SSL Documentation: http://home.netscape.com/assist/security/ssl/index.html SSL Documentation provided with Netscape Enterprise Server: http://[yourhost]:[your admin serv port]/admin-serv/manual /ag/security.htm Verisign: http://www.verisign.com Verisign Digital ID Center: http://digitalid.verisign.com Verisign Information Desk: http://digitalid.verisign.com/ask_veri.htm Apache-SSL http://www.apache-ssl.org/ Web Security & Commerce By Simson Garfinkel with Gene Spafford 1st Edition June 1997 1-56592-269-7 Practical UNIX & Internet Security, 2nd Edition By Simson Garfinkel & Gene Spafford 2nd Edition April 1996 1-56592-148-8 ###
12 of 12
01/19/2012 02:40 PM