P. 1
System Administration Guide

System Administration Guide

|Views: 4|Likes:
Publicado porRichard D Armstrong

More info:

Published by: Richard D Armstrong on Sep 02, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/24/2012

pdf

text

original

You must be root to generate a key.

216

Chapter 26. Apache HTTP Secure Server Configuration

First, use the cd command to change to the /etc/httpd/conf/directory. Remove the fake key and
certificate that were generated during the installation with the following commands:

rm ssl.key/server.key
rm ssl.crt/server.crt

Next, create your own random key. Change to the /usr/share/ssl/certs/ directory and type in
the following command:

make genkey

Your system displays a message similar to the following:

umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:

You now must enter in a passphrase. For security reason, it should contain at least eight characters,
include numbers and/or punctuation, and it should not be a word in a dictionary. Also, remember that
your passphrase is case sensitive.

Note

You are required to remember and enter this passphrase every time you start your secure server. If
you forget this passphrase, the key must be completely re-generated.

Re-type the passphrase to verify that it is correct. Once you have typed it in correctly,
/etc/httpd/conf/ssl.key/server.key,the file containing your key, is created.

Note that if you do not want to type in a passphrase every time you start your secure server, you must
use the following two commands instead of make genkey to create the key.

Use the following command to create your key:

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

Then, use the following command to make sure the permissions are set correctly for the file:

chmod go-rwx /etc/httpd/conf/ssl.key/server.key

After you use the above commands to create your key, you do not need to use a passphrase to start
your secure server.

Caution

Disabling the passphrase feature for your secure server is a security risk. It is not recommended that
you disable the passphrase feature for secure server.

Chapter 26. Apache HTTP Secure Server Configuration

217

Problems associated with not using a passphrase are directly related to the security maintained on the
host machine. For example, if an unscrupulous individual compromises the regular UNIX security on
the host machine, that person could obtain your private key (the contents of your server.key file).
The key could be used to serve webpages that appear to be from your secure server.

If UNIX security practices are rigorously maintained on the host computer (all operating system
patches and updates are installed as soon as they are available, no unnecessary or risky services are
operating, and so on), secure server’s passphrase may seem unnecessary. However, since your secure
server should not need to be re-booted very often, the extra security provided by entering a passphrase
is a worthwhile effort in most cases.

The server.key file should be owned by the root user on your system and should not be accessible
to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place.
You need the backup copy because if you ever lose the server.key file after using it to create your
certificate request, your certificate no longer works and the CA is not able to help you. Your only
option is to request (and pay for) a new certificate.

If you are going to purchase a certificate from a CA, continue to
Section 26.7 Generating a Certificate Request to Send to a CA. If you are generating your own
self-signed certificate, continue to Section 26.8 Creating a Self-Signed Certificate.

You're Reading a Free Preview

Descarga
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->