If you installed your secure Web server using the Red Hat Linux installation program, a
random key and a test certificate are generated and put into the
appropriate directories. Before you begin using your secure server,
however, you will need to generate your own key and obtain a certificate
which correctly identifies your server.
You need a key and a certificate to operate your secure Web server — which
means that you can either generate a self-signed certificate or purchase a CA-signed
certificate from a CA. What are the differences between the two?
A CA-signed certificate provides two important capabilities for your
server:
Browsers will (usually) automatically recognize the certificate and
allow a secure connection to be made, without prompting the user.
When a CA issues a signed certificate, they are guaranteeing the
identity of the organization that is providing the Web pages to the
browser.
If your secure server is being accessed by the public at large, your
secure Web server needs a certificate signed by a CA, so that people who visit
your website can rely that the website is owned by the organization who
claims to own it. Before signing a certificate, a CA verifies that the
organization requesting the certificate was actually who they claimed to
be.
Most Web browsers that support SSL have a list of CAs whose certificates
they will automatically accept. If a browser encounters a certificate
whose authorizing CA is not in the list, the browser will ask the user
to choose whether to accept or decline the connection.
You can generate a self-signed certificate for your secure Web server, but be
aware that a self-signed certificate will not provide the same
functionality as a CA-signed certificate. A self-signed certificate
will not be automatically recognized by users' browsers, and a
self-signed certificate does not provide any guarantee concerning the identity
of the organization that is providing the website. A CA-signed
certificate provides both of these important capabilities for a secure
server. If your secure server will be used in a production environment,
you will probably need a CA-signed certificate.
The process of getting a certificate from a CA is fairly easy. A quick
overview is as follows:
Create an encryption private and public key pair.
Create a certificate request based on the public key. The
certificate request contains information about your server and the
company hosting it.
Send the certificate request, along with documents proving your
identity, to a CA. We cannot tell you which certificate authority
to choose. Your decision may be based on your past experiences, or
on the experiences of your friends or colleagues, or purely on
monetary factors.
To see a list of CAs, click on the Security
button on your Navigator toolbar or on
the padlock icon at the bottom left of the screen, then click on
Signers to see a list of certificate signers
from whom your browser will accept certificates. You can also
search the Web for CAs. Once you have decided upon a CA, you will need
to follow the instructions they provide on how to obtain a
certificate from them.
When the CA is satisfied that you are indeed who you claim to be, they
will send you a digital certificate.
Install this certificate on your Web server, and begin handling
secure transactions.
Whether you are getting a certificate from a CA or generating your own
self-signed certificate, the first step is to generate a key. See the section called Generating a Key for instructions on how to
generate a key.
