asg14.htm

apache技术手册

probably don't want a key of less than 1024 bits. Choosing an appropriate

keysize is your responsibility.

How many bits of key (384 minimum, 1024 maximum): 1024

Now we will generate some random data, using the truerand library

developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T.

This may take some time.

Generating 2048 bits of randomness................................................................

Now we generate more random data, from keystrokes

We need to generate 2048 random bits. This is done by measuring the

time intervals between your keystrokes. Please enter some random text

on your keyboard until you hear the beep:

 0 * -Enough, thank you.

Finally, choose some files with random bits, to complete our random

number seed generation. You might want to put in logfiles, utmp, wtmp,

etc.

Once the key is generated you will be asked to enter a PEM pass phrase.

This is the pass phrase used to encrypt the key on the disk.

 --- DO NOT LOSE THIS PASS PHRASE ---

Enter colon-seperated list of files: /usr/adm/messages

Now we are generating the key. This may also take some time. Be patient.

The passphrase you enter here is very important. Do not lose it.

22320 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

.+++++

........................................................+++++

e is 65537 (0x10001)</FONT></PRE>

<P>Next, you'll enter the permission phrase (your private password). Characters entered here are not echoed. Do NOT forget your permission phrase! Enter the following:

<BR>

<PRE>

<FONT COLOR="#000080">Enter PEM pass phrase:

Verifying password Enter PEM pass phrase:

Key generated</FONT></PRE>

<P>If you would like to send your Certificate Signing Request (CSR) to a CA, type y, otherwise type n. If you type y, the CSR will be sent to the CA. This process costs $290.00 from VeriSign. The session to prepare the Certificate Signing Request looks like this:

<BR>

<PRE>

<FONT COLOR="#000080">Would you like to send a Certificate Request to a CA? [Y/n] n

Not generating CSR

Now we will create a self-signed certificate for use until the CA of your

choice signs your certificate. You will have to use this cert until

your CA responds with the actual signed certificate.

Enter PEM pass phrase:

You are about to be asked to enter information that will be incorperated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [California]:Somestate

Locality Name (city, town, etc.) [Springfield]:Somecity

Organization Name (company) [Random Corporation]:company, com.

Organizational Unit Name (division) [Secure Services Division]:

Common Name (webserver FQDN) [www.random.com]:www.company.com

--COMPLETE--

Your key has been generated and a test certificate has been installed

--COMPLETE--

Starting the server...

helium: Jul 22 23:41:19 1996 UTC - Aug 21 23:41:19 1996 UTC

WARNING: Certificate expires in 29 day(s)</FONT></PRE>

<P>Before the SSL server starts, you'll be asked to enter the permission phrase. This is done because the server is trying to access an encrypted file. The prompt will look like the following:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080"><A NAME="I2"></A>Enter PEM pass phrase:</FONT></PRE>

<P>Congratulations! Your secure server is now running. To access it you'll need an SSL-compliant browser. Secure servers are accessed by specifying an extra <I>s</I> following http (http secure) https://www.company.com URL. The visual differences between a secure and nonsecure site are shown in Figures 14.1 and 14.2.

<BR>

<P>To start and stop the server, use the scripts created by the installation program, start and stop.

<BR>

<P>In the case of Netscape, accessing the secure site causes the browser to show warnings because it doesn't know who certified this site. If the Certificate Request that you prepared earlier was approved by one of the authorities, such as VeriSign, the browser will not show these warnings.

<BR>

<BLOCKQUOTE>

<BLOCKQUOTE>

<HR ALIGN=CENTER>

<BR>

<NOTE>As of the second beta, Microsoft Internet Explorer (MIE) will not allow you to access a secure site when the CA was unknown to the software. Netscape Navigator had this same sort of behavior in its 1.<I>x</I> release. You'd think Microsoft would think about this possibility!</NOTE>

<BR>

<HR ALIGN=CENTER>

</BLOCKQUOTE></BLOCKQUOTE>

<P><B> <A HREF="javascript:if(confirm('http://docs.rinet.ru:8080/Apachu/14asg01.gif  \n\nThis file was not retrieved by Teleport Pro, because it was redirected to an invalid location.  You should report this problem to the site\'s webmaster.  \n\nDo you want to open it from the server?'))window.location='http://docs.rinet.ru:8080/Apachu/14asg01.gif'" tppabs="http://docs.rinet.ru:8080/Apachu/14asg01.gif">Figure 14.1. The installed SSL server looks like </B><B>this when viewed by Netscape. Note the bar under the address area and </B><B>the icon on the lower left corner (on the computer the bars are rendered </B><B>in blue).</A></B>

<BR>

<P><B> <A HREF="javascript:if(confirm('http://docs.rinet.ru:8080/Apachu/14asg02.gif  \n\nThis file was not retrieved by Teleport Pro, because it was redirected to an invalid location.  You should report this problem to the site\'s webmaster.  \n\nDo you want to open it from the server?'))window.location='http://docs.rinet.ru:8080/Apachu/14asg02.gif'" tppabs="http://docs.rinet.ru:8080/Apachu/14asg02.gif">Figure 14.2. A plain server looks like this when </B><B>viewed by Netscape. Note the bar under the address area is missing, and </B><B>the key icon is broken.</A></B>

<BR>

<BR>

<A NAME="E69E167"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>Generating a Key Pair and CSR for Stronghold</B></FONT></CENTER></H4>

<BR>

<P>In addition to generating a key pair when doing the initial installation, you can use the genkey program to generate additional keys. Why do you need the key pair? The server generates a private and public key pair. The public key is used to encrypt transmissions to the server. The server's private key is used to decrypt the transmissions. Only the private key can be used to decrypt an encrypted message. It is kept in the server while the public key is sent to the client.

<BR>

<P>In addition to the private/public key pair, genkey generates a CSR for sending to a CA&#151;an entity that acts as a notary public, authenticating that the holder of a certificate is indeed the entity listed in the certificate itself. The certificate contains your server's public key, an expiration date, information about your organization, and the digital signature of the issuer.

<BR>

<P>When a server starts up a secure connection, it transmits the certificate to the client. The client decodes it by revealing your public key, an expiration date, information about your organization, and the digital signature of the issuer it displays to the user. The client then authenticates that the certificate has not been altered, and that it is signed by a CA it knows. This allows the client to generate a symmetric key that it can use to communicate with the server.

<BR>

<P>The genkey program allows you to generate the key pair and e-mail it to a CA, typically VeriSign. The certification process costs $290 and takes a few days. To complete the certification process, VeriSign will request more information about you or your organization before they issue the CA for your server. For more information, please visit <A HREF="javascript:if(confirm('http://www.verisign.com/  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.verisign.com/'" tppabs="http://www.verisign.com/"> http://www.verisign.com</A>.

<BR>

<P>Once you receive your certificate, you must install it using the getca program. Remember to save a copy of this certificate in a safe place. As root install it with the following commands:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080"># getca <I>hostname</I> &lt; <I>certificate</I></FONT></PRE>

<P><I>hostname</I> is your fully qualified hostname. <I>certificate</I> is the path to the certificate. Don't keep copies of your certificate laying around!

<BR>

<BR>

<A NAME="E69E168"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>How Many Certificates Do You Need</B><B>?</B></FONT></CENTER></H4>

<BR>

<P>Most of the time you will only need to get one certificate. You will need to get an additional certificate if you are

<BR>

<UL>

<LI>Using a different hostname or physical machine

<BR>

<BR>

<LI>Using a different key pair

<BR>

<BR>

<LI>Using a different brand of Web server

<BR>

<BR>

</UL>

<P>However, there may be creative ways of reducing your costs. Using Apache virtual hosts (described in <A HREF="asg04.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg04.htm">Chapter 4</A>, &quot;Virtual Hosts&quot;), you could implement a common site in your organization that handles all secure transactions for the various divisions in your organization, such as a point of sale system. All you need to do is create a link from your HTML to the secure URL when you need to transfer information via a secure environment. The secure server will then handle all secure transactions for all the other sites. Just remember to leave the &quot;Organization Unit&quot; field blank during configuration so that you don't confuse visitors. You may want to consider that while the most popular browsers support SSL, some may not, and you may want to offer a nonsecure transaction choice.

<BR>

<BR>

<A NAME="E69E169"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>Stronghold Utilities</B></FONT></CENTER></H4>

<BR>

<P>The SSL distribution also includes a number of program utilities to help you manage your certificates and passwords.

<BR>



<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="80%" CELLPADDING=2 >

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

change_pass

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

Sets the passphrase used to encrypt the server's private key. The private key should be kept encrypted to avoid any problems if someone obtains it. However, an encrypted private key will require providing a passphrase every time the server is started.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

decrypt_key

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This utility decrypts the private key to allow the server to start without requesting a passphrase. Having an unencrypted private key may jeopardize your key if someone is able to obtain it.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

gencert

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This tool is used to generate a test certificate. It also allows you use private certificate authorities such as yourself (you authorize your own CA). Third-party tools are available to help you implement a more complex CA. For information, visit http://www.xcert.com.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

genkey

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This utility generates a private/public key pair and a CSR that you can send to a CA, such as VeriSign, for processing.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

getca

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This utility installs a certificate provided by a CA such as VeriSign.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

getreq

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This utility generates a CSR based on an existing private key located in $SSLTOP/private/hostname.private

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

makeca

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This utility sets up a self-signed CA for Stronghold.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

renewal

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

This utility submits a certificate renewal request to your CA.</FONT>

</TABLE><BR>

<A NAME="E68E163"></A>

<H3 ALIGN=CENTER>

<CENTER>

<FONT SIZE=5 COLOR="#FF0000"><B>SSL-Configuration Directives</B></FONT></CENTER></H3>

<BR>

<P>Apache SSL extensions are incorporated into Apache via ssl_module. This module provides a number of configuration directives that you can use to control where the server will find configuration files, logs, and certificates among other things. Most of these configuration files are written to a httpd.conf file that resides in the ssl_conf directory if you are using Stronghold, or in SSLconf/conf/ directory for Apache-SSL installations.

<BR>

<P>These directives can be used in a &lt;VirtualHost&gt; section. However, note that browsers such as Netscape Navigator 2.<I>x</I> and better check the URL against the hostname on the server certificate. This requires that you provide a different certificate for each virtual host you house.

<BR>

<BR>

<A NAME="E69E170"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>BanCipher</B></FONT></CENTER></H4>

<BR>

<UL>