Digital Certificates and the Apache Web Server

THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Digital Certificates and the Apache Web Server

L
ike most web servers, Apache supports the use of digital certificates to create Secure Socket Layer (SSL) connections This command generates an RSA private key, 2048 bits in length, and encrypts the key file using the Triple-DES cipher. The key is written to a file named www.thawte.com.key (in this example). When the command runs, you will be prompted to enter a Privacy Enhanced Message (PEM) pass phrase, and asked to confirm the pass phrase a second time to set it. The private key is secured using this pass phrase; whenever the web server restarts or Apache is restarted, you will be prompted by OpenSSL to enter it, releasing the private key for Apaches use: between web servers and web browsers, or between two web servers. In this guide, you will learn how to test, purchase, install, and use a Thawte digital certificate on your Apache web server. The guide illustrates best practices throughout to help you efficiently manage your encryption keys and digital certificates.

System Requirements
This guide assumes that you are running a recent version of the Apache web server software and that the required SSL components are installed, including OpenSSL and either ModSSL or Apache-SSL. Many Apache distributions, as well as UNIX/ Linux distributions that include Apache, are already configured with these prerequisites. This guide assumes that you are using ModSSL, although Apache-SSL is substantially similar and Thawte does not recommend one over the other.

Note
It is not required to use a pass phrase, but we recommend that you do so. Although it is less convenient, it helps ensure the security and privacy of your private encryption key. You should immediately make a backup copy of the key file, and document the pass phrase. If you lose or cannot access your private key, you cannot use the certificate you obtain from Thawte. You can back up the key file by simply copying it to a safe location, such as a removable drive: Cp domainname.key path-to-removable-disk

Resource
You can learn more about these SSL components at:

www.apache.org www.modssl.org www.apache-ssl.org www.openssl.org

Generating Your Certificate Signing Request

Next, use OpenSSL to generate a Certificate Signing Request (CSR). This request is what to provide to Thawte in order to generate your certificate. To generate a CSR, run this command: Openssl req new key out domainname.csr Doing so creates a new CSR and saves it to the file domainname.csr. You will be prompted to enter several pieces of information while generating the CSR:

Generating Your Private Key

The first step is to use OpenSSLs binary to generate your private key. This key is retained on your web server, and we recommend that you secure it using cryptographic protection. Run this command: Openssl genrsa des3 2048 out domainname.key For example, if your web server host and domain name were www.thawte.com, you would run: Openssl genrsa des3 2048 out www.thawte.com. key 2

Country Name This is the standardized 2-letter code,

such as US or GB.

State or Province Name This must be spelled out, as in

Nevada, not abbreviated.

Locality This is your city name.

 Organization Name This is your organizations full

legal name.

Begin your test certificate request at https://ssl-certificate-center. thawte.com/process/retail/thawte_trial_initial. You will be asked to copy and paste your CSR into the text area provided be sure to copy and paste the entire request, including the dashes and the BEGIN and END lines. The test certificate will be generated automatically, and you will be able to see it on the resulting page. Save it to a text file called domainname.crt.

Organizational Unit This is often the division of your

company that is responsible for the web server, such as IT.

Common Name This is the exact name that users will

type into their web browser to access the server that the SSL certificate secures. For example, www.thawte.com. Note that thawte.com and www.thawte.com are different, and are not interchangeable by the certificate. Do not include http:// or https:// in the Common Name, and do not include any paths such as www.thawte.com/secure only the complete host and domain name is allowed. You will also be asked for the PEM pass phrase that you used to secure your private key. Be sure to carefully check all the information you provide because this information is what Thawte will verify before issuing your certificate. The generated CSR file is a simple text file, containing something like the sample that Figure 1 shows.

Note
If you have not yet configured SSL in Apache, we recommend doing so prior to requesting a test or trusted certificate. SSL configuration is covered later in this guide.

Requesting a Trusted Certificate

You should create a new private key and CSR before requesting your production certificate. Production certificates are trusted by most web browsers by default. You can begin your certificate purchase at http://www.thawte. com/buy; you will need to copy and paste your CSR exactly as you did with your test certificate. Depending on the type of SSL certificate you are buying, your certificate may be issued immediately or may be issued after Thawte completes the identity verification process. The process may take several business days to complete.

Note
If you have generated more than one CSR, you may need to
Figure 1: A sample CSR text file.

check a CSR before pasting it into Thawtes web site. Doing so helps ensure that you paste the correct CSR. To verify a CSR, run. openssl req text noout in filename.csr Detailed instructions for obtaining a trusted Thawte SSL certificate can be found at: https://search.thawte.com/support/ ssl-digital-certificates/index?page=content&id=SO5905. During the identity verification process, you can check the status of your request at http://www.thawte.com/log-in/index.html, and you can always contact the customer service representative assigned to your request with any other questions.

You can view this file by running: Cat domainname.csr

Using a Test Certificate

Thawte offers a free test SSL certificate that will allow you to familiarize yourself with SSL certificates and their installation and use. These test certificates are fully functional but are not trusted by web browsers, meaning that web browsers will display a warning message when establishing the SSL connection. To facilitate testing, you can get your browser to trust the test certificate by visiting https://www.thawte.com/roots/index.html and following the instructions there. Test certificates are valid for 21 days and include no warranty.

Configuring SSL
Prior to installing any certificate, you will need to configure your Apache web server. Directives are used to tell Apache exactly how it should behave and how certain content is handled. ModSSL provides the directives used to configure SSL support in Apache. The following are the most frequently used directives:

Installing Your Certificate

Once issued, you can download your certificate from Thawtes web site. Simply log into your account to retrieve your certificate. Save the certificate file to the appropriate location on the server.

Note
For consistency, we recommend saving the file using a filename such as domainname.crt; this helps easily match the .key, .csr, and .crt files if you follow this naming convention consistently. You will also be asked for the PEM pass phrase that you used to secure your private key. Be sure to carefully check all the information you provide because this information is what Thawte will verify before issuing your certificate. The generated CSR file is a simple text file, containing something like the sample that Figure 1 shows.

SSLCACertificateFile The path to the file that contains

Certification Authority (CA) root certificates

SSLCertificateFile The path to the file that contains your

SSL certificate (obtained from Thawte)

SSLCertificateKeyFile The path to your private key;

please ensure that this is the key that was used to generate the CSR submitted to Thawte

SSLEngine This controls whether SSL is enabled for a

particular virtual host. Additional ModSSL directives (for version 2.8, the latest version as of this guides publication date) are documented at www. modssl.org/docs/2.8/ssl_reference.html. These directives must be placed into the httpd.conf file, which contains Apaches general configuration settings. Many Apache distributions have these directives by default, although they may be commented out. Be sure they contain the correct paths. For example, if your certificates are located in /usr/local/cert, and your private keys in /usr/local/ssl/private, you might include the following in httpd.conf: SSLCertificateFile: /usr/local/certs/www. mydomain.com.crt SSLCertificateKeyFile: /usr/local/ssl/private/ www.mydomain.com.key SSLEngine on You must also ensure that any firewalls or routers are making port 443 (the default port for SSL-secured http connections) available to the web server.

Figure 2: A sample certificate file.

You can view the certificate details by running this command: Openssl req text noout in domainname.crt The output will include the certificates validity period, issuer, owner, fingerprint, and other information. Your certificate can only be used in conjunction with the private key you created originally. If you lose access to the private key file, the certificate is useless. Certificates and private keys are matched pairs; without one, you cannot use the other.

Securing Virtual Hosts

Each virtual host supported by Apache can use SSL. To do so, each host must have its own unique IP address; this is a restriction of the https protocol. Multiple SSL-secured hosts cannot be differentiated by host headers only; the server must be able to differentiate them by IP address. This is because, in

an https request, the host headers themselves are encrypted; the server cannot use them to route traffic to a particular virtual host. Once SSL has been installed and configured, you typically must restart the entire server, not just Apaches daemon.

Useful Links
You may find the following URLs to be useful:

Key-generation guide for Apache-SSL and Apache

ModSSL: https://search.thawte.com/support/ssl-digitalcertificates/index?page=content&id=AR1108

To download a free trial certificate: https://ssl-certificatecenter.thawte.com/process/retail/thawte_trial_initial

To learn more, contact our sales advisors:

Via phone US toll-free: +1 888 484 2983 UK: +44 203 450 5486 South Africa: +27 21 819 2800 Germany: +49 69 3807 89081 France: +33 1 57 32 42 68 Email sales@thawte.com Visit our website at https://www.thawte.com/log-in

Protect your business and translate trust to your customers with highassurance digital certificates from Thawte, the worlds first international specialist in online security. Backed by a 17-year track record of stability and reliability, a proven infrastructure, and world-class customer support, Thawte is the international partner of choice for businesses worldwide.

2013 Thawte, Inc. All rights reserved. Thawte, the thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Thawte, Inc. and its subsidiaries and afliates in the United States and in foreign countries. All other trademarks are property of their respective owners.