Types of Certificates

If you installed your secure Web server using the Red Hat Linux installation program, a random key and a test certificate were generated and put into the appropriate directories. Before you begin using your secure server, however, you will need to generate your own key and obtain a certificate that correctly identifies your server.

You need a key and a certificate to operate your secure Web server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the differences between the two? A CA-signed certificate provides two important capabilities for your server:

• Browsers will (usually) automatically recognize the certificate and allow a secure connection to be made, without prompting the user.

• When a CA issues a signed certificate, it is guaranteeing the identity of the organization that is providing the Web pages to the browser.

If your secure server is being accessed by the public at large, your secure Web server needs a certificate signed by a CA, so that people who visit your website know that the website is owned by the organization that claims to own it. Before signing a certificate, a CA verifies that the organization requesting the certificate was actually what it claimed to be. Most Web browsers that support SSL have a list of CAs whose certificates they will automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser will ask the user to choose whether to accept or decline the connection.

You can generate a self-signed certificate for your secure Web server, but be aware that a self-signed certificate will not provide the same functionality as a CA-signed certificate. A self-signed certificate will not be automatically recognized by users’ browsers, and a self-signed certificate does not provide any guarantee concerning the identity of the organization that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. If your secure server will be used in a production environment, you will probably need a CA-signed certificate.

The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:

1. Create an encrypted private and public key pair.

2. Create a certificate request based on the public key. The certificate request contains information about your server and the company hosting it.

3. Send the certificate request, along with documents specified by the CA that prove your identity, to a CA. We cannot tell you which certificate authority to choose. Your decision may be based on your experiences, or on the experiences of your friends or colleagues, or purely on monetary factors. To see a list of CAs, click on the Security button on your Web browser toolbar or on the padlock icon at the bottom left of the screen, then click on Signers to see a list of certificate signers from which your browser will accept certificates. You can also search the Web for CAs. Once you have decided upon a CA, you will need to follow the instructions it provides on how to obtain a certificate.

4. When the CA is satisfied that your organization is indeed what it claims to be, it sends you a digital certificate.

5. Install this certificate on your Web server and begin handling secure transactions.

Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. See the section “Generating a Key” for instructions on how to generate a key.