To seamlessly encrypt communication between a web server and a client browser, it is necessary to purchase a security certificate from a well established Certificate Authority (CA). A self signed certificate provides equally strong encryption, but most browsers display an alert that will confuse the majority of ordinary users. If the site is to be viewed by the public at large, using a commercial CA will suppress this warning.
The Thawte SSL123 certificate is heavily discounted, compared to other Thawte products. It is by no means the cheapest available, but it is a good choice when support for very old browsers is an absolute must. Thawte's root certificate has been included with browsers for a very long time, giving Thawte a competitive advantage over other discount CAs. The purchase process is relatively easy, but the instructions for installation are incomplete. This document attempts to describe the steps involved as simply as possible.
This document assumes that apache and mod_ssl are configured and running,
using a test certificate (hint: change the start command in
/etc/rc.d/rc.http to /usr/sbin/apachectl
startssl).
First, get organized:
su - cd /etc/ssl/certs mkdir www.example.com cd www.example.com
Create a private key that does not have a passphrase, allowing the server to restart unattended (after a power failure, for example):
openssl genrsa -out www.example.com.key 1024
Now use the key to create a Certificate Signing Request (CSR):
openssl req -new -key www.example.com.key -out www.example.com.csr openssl req -noout -text -in www.example.com.csr
Follow the prompts, and be sure to enter the
FQDN of the host that is
to be secured when prompted for the Common Name. In this example the Common
Name would be www.example.com. Do not set a challenge password. If
a mistake is made, simply type Ctrl-c and begin again. It is also
useful to edit /etc/ssl/openssl.cnf to supply the desired defaults
(as always, make a backup, first). The second command allows you to doublecheck
the values you've entered in the
CSR
Once the CSR is created, it is possible to purchase the SSL123 certificate from Thawte. The online purchase form provides a text area into which the contents of the CSR must be entered. Beneath it is a link to test the CSR for validity. After confirming that the CSR is valid, paste the contents into the purchase form and proceed. Thawte will send a confirmation message to the technical contact specified in the purchase form. This message contains instructions for downloading the certificate. The provided URL will be protected with the password specified in the purchase form. The page will contain a link that will display the contents of both the certificate and the SSL123 Intermediate CA certificate in plain text (select the Standard Certificate Format). These are used to create two separate files, by copying and pasting the contents carefully. This can be achieved in a variety of ways. I prefer to paste between the browser and an open terminal:
cd /etc/ssl/certs/www.example.com vim www.example.com.crt vim thawte-ca.crt
It's a good idea to make these files readable only by root (but it may be necessary to adjust ownership or permissions, based on the user a daemon runs as):
chmod 600 *crt *csr *key
The final step is to configure apache. Slackware keeps these settings in
/etc/apache/mod_ssl.conf. It is only necessary to modify three
lines (shown here together, for simplicity):
SSLCertificateFile /etc/ssl/certs/www.example.com/www.example.com.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/www.example.com.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/thawte-ca.crt It is now necessary to stop and start apache:
/etc/rc.d/rc.http stop /etc/rc.d/rc.http start
If the certificate has been installed correctly, a visit to https://www.example.com/ will occur seamlessly, with no warning to the user. Some browsers display a closed padlock to indicate that the pages are protected by SSL.
The process described above applies only to securing web pages. It is also possible to use the certificate to secure email, provided the Common Name is the same. See the documentation for your mail daemons for more details.
Slackware - Slackware Linux is is known for its stability, security, simplicity and flexibility.
Transport Layer Security - This Wikipedia entry has numerous links to SSL/TLS information.
OpenSSL - High quality tools are freely available.
Microsoft Root Certificate Program - See how Microsoft adds root certificates to its operating systems.
WebTrust - Trust costs money. Lots and lots of money. And if you can't trust someone with lots and lots of money, who can you trust?
Mention of the following CAs is not an endorsement. Research your options carefully before choosing a commercial CA.
Thawte - Thawte is an established CA whose root certificate has been included in browsers for a long time. If compatibility with older browsers is important, the Thawte SSL123 certificate may be the most economical option. Verisign acquired Thawte in 2000.
FreeSSL - FreeSSL offers inexpensive certificates with excellent acceptance among modern browsers. Consider this CA if compatibility with older browsers is not a concern.
GeoTrust - GeoTrust claims to be the world’s second largest digital certificate provider. View the pretty graph. Like salt? Here's a grain of it.