Generating a Key


You must be root to generate a key. First, cd to the /etc/httpd/conf directory. Remove the fake key and certificate that were generated during the installation with the following commands:

rm ssl.key/server.key rm ssl.crt/server.crt

Next, you need to create your own random key. Change to the /usr/share/ssl/certs directory and type the following command:

make genkey

Your system will display a message similar to the following:

umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key Generating RSA private key, 1024 bit long modulus
.......++++++ ................................................++++++e is 65537 (0x10001) Enter PEM pass phrase:

You now need to enter a password. For best security, your password should contain at least eight characters, include numbers and/or punctuation, and not be a word found in a common dictionary. Also, remember that your password is case-sensitive.

Note

You will need to remember and enter this password every time you start your secure Web server, so do not forget it.

You will be asked to retype the password, to verify that it is correct. Once you have done so, /etc/httpd/conf/ssl.key/server.key, containing your key, will be created.

Note that if you do not want to enter a password every time you start your secure Web server, you will need to use the following two commands instead of make genkey to create the key. Use this command

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

to create your key. Then use the command

chmod go-rwx /etc/httpd/conf/ssl.key/server.key

to make sure that the permissions are set correctly on your key. After you use the above commands to create your key, you will not need to use a password to start your secure Web server.

Warning

Disabling the password feature for your secure Web server is a security risk. It is not recommended that you disable the password feature for your secure Web server.

The problems associated with not using a password are directly related to the security maintained on the host machine. For example, an unscrupulous individual who compromises the regular UNIX security on the host machine could obtain your private key (the contents of your server.key file). The key could be used to serve Web pages that will appear to be from your Web server.

If UNIX security practices are rigorously maintained on the host computer (all operating system patches and updates are installed as soon as they are available, no unnecessary or risky services are operating, and so on), the secure Web server’s password may seem unnecessary. However, since your secure Web server should not need to be rebooted very often, the extra security provided by entering a password is a worthwhile effort in most cases.

The server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate will no longer work and the CA will not be able to help you. Your only option will be to request (and pay for) a new certificate.

If you are going to purchase a certificate from a CA, continue to the next section. If you are generating your own self-signed certificate, continue to the section “Creating a Self-Signed Certificate.”




Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net