------------------------------------------------------------
revno: 3647
committer: Adam Sommer <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Thu 2007-12-20 14:34:16 -0500
message:
Extracted the Certificate section and placed it in the Security section,
because it is
referenced from multiple sections with the need for certs, not just Apache.
Also, updated
it with more information on PKI.
modified:
generic/server/C/security.xml
generic/server/C/web-servers.xml
=== modified file 'generic/server/C/security.xml'
--- a/generic/server/C/security.xml 2007-12-10 06:31:28 +0000
+++ b/generic/server/C/security.xml 2007-12-20 19:34:16 +0000
@@ -467,5 +467,259 @@
</itemizedlist>
</sect2>
</sect1>
+
+ <sect1 id="certificates-and-security" status="complete">
+ <title>Certificates</title>
+ <para>
+ One of the most common forms of cryptography today is
<emphasis>public-key</emphasis> cryptography.
+ Public-key cryptography utilizes a <emphasis>public key</emphasis>
and a <emphasis>private key</emphasis>.
+ The system works by <emphasis>encrypting</emphasis> information
using the public key. The information can
+ then only be <emphasis>decrypted</emphasis> using the private key.
+ </para>
+ <para>
+ A common use for public-key cryptography is encrypting application
traffic using a Secure Socket Layer (SSL) or
+ Transport Layer Security (TLS) connection. For example,
configuring Apache to provide <emphasis>HTTPS</emphasis>, the
+ HTTP protocol over SSL. This allows a way to encrypt traffic
using a protocol that does not itself provide encryption.
+ </para>
+ <para>
+ A <emphasis>Certificate</emphasis> is a method used to distribute
a <emphasis>public key</emphasis> and other information
+ about a server and the organization who is responsible for it.
Certificates can be digitally signed by a
+ <emphasis>Certificate Authority</emphasis> or CA. A CA is a
trusted third party that has confirmed that the information
+ contained in the certificate is accurate.
+ </para>
+ <sect2 id="types-of-certificates" status="complete">
+ <title>Types of Certificates</title>
+ <para>
+ To set up a secure server using public-key cryptography, in most
cases, you
+ send your certificate request (including your public key),
+ proof of your company's identity, and payment to a CA. The
+ CA verifies the certificate request and your identity, and
+ then sends back a certificate for your secure server.
+ Alternatively, you can create your own
<emphasis>self-signed</emphasis>
+ certificate.
+ </para>
+ <note>
+ <para>
+ Note, that self-signed certificates should not be used in most
production environments.
+ </para>
+ </note>
+ <para>
+ Continuing the HTTPS example, a CA-signed certificate provides two
important
+ capabilities that a self-signed certificate does not:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Browsers (usually) automatically recognize the certificate
+ and allow a secure connection to be made without prompting
+ the user.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When a CA issues a signed certificate, it is
+ guaranteeing the identity of the organization that is
+ providing the web pages to the browser.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ Most Web browsers, and computers, that support SSL have a list of
CAs whose
+ certificates they automatically accept. If a browser
+ encounters a certificate whose authorizing CA is not in the
+ list, the browser asks the user to either accept or decline
+ the connection. Also, other applications may generate an error
message when using
+ a self-singed certificate.
+ </para>
+ <para>
+ The process of getting a certificate from a CA is fairly
+ easy. A quick overview is as follows:
+ </para>
+
+ <orderedlist>
+ <listitem>
+ <para>Create a private and public encryption key pair.</para>
+ </listitem>
+ <listitem>
+ <para>Create a certificate request based on the public key.
The
+ certificate request contains information about your server and
the
+ company hosting it.</para>
+ </listitem>
+ <listitem>
+ <para>Send the certificate request, along with documents
proving your
+ identity, to a CA. We cannot tell you which certificate
authority to
+ choose. Your decision may be based on your past experiences, or
on the
+ experiences of your friends or colleagues, or purely on monetary
+ factors.</para>
+
+ <para>Once you have decided upon a CA, you need to follow
the
+ instructions they provide on how to obtain a certificate
+ from them.</para>
+ </listitem>
+ <listitem>
+ <para>When the CA is satisfied that you are indeed who you
claim to be,
+ they send you a digital certificate.</para>
+ </listitem>
+ <listitem>
+ <para>
+ Install this certificate on your secure server, and configure
the appropriate applications
+ to use the certificate.
+ </para>
+ </listitem>
+ </orderedlist>
+
+ </sect2>
+ <sect2 id="generating-a-csr" status="complete">
+ <title>Generating a Certificate Signing Request (CSR)</title>
+ <para>Whether you are getting a certificate from a CA or
generating your own
+ self-signed certificate, the first step is to generate a key.
+ </para>
+ <para>
+ To generate the <emphasis>keys</emphasis> for the Certificate
Signing Request (CSR) run the
+ following command from a terminal prompt:
+ </para>
+<screen>
+<command>openssl genrsa -des3 -out server.key 1024</command>
+</screen>
+
+<programlisting>
+Generating RSA private key, 1024 bit long modulus
+.....................++++++
+.................++++++
+unable to write 'random state'
+e is 65537 (0x10001)
+Enter pass phrase for server.key:
+</programlisting>
+
+ <para>
+ You can now enter your passphrase. For best security, it should
+ at least contain eight characters. The minimum length when
+ specifying -des3 is four characters. It should include numbers
+ and/or punctuation and not be a word in a dictionary. Also
+ remember that your passphrase is case-sensitive.
+ </para>
+
+ <para>
+ Re-type the passphrase to verify. Once you have re-typed it
+ correctly, the server key is generated and stored in the
+ <filename>server.key</filename> file.
+ </para>
+
+ <warning>
+ <para>
+ You can also run your secure service without a passphrase.
+ This is convenient because you will not need to enter the
+ passphrase every time you start your secure service. But it
+ is highly insecure and a compromise of the key means a
+ compromise of the server as well.
+ </para>
+ </warning>
+
+ <para>
+ In any case, you can choose to run your secure service without
+ a passphrase by leaving out the -des3 switch in the generation
+ phase or by issuing the following command at a terminal prompt:
+ </para>
+
+<screen>
+<command>openssl rsa -in server.key -out server.key.insecure</command>
+</screen>
+ <para>
+ Once you run the above command, the insecure key will be stored
+ in the <filename>server.key.insecure</filename> file. You can use this
+ file to generate the CSR without passphrase.
+ </para>
+
+ <para>
+ To create the CSR, run the following command at a terminal prompt:
+ </para>
+<screen>
+<command>openssl req -new -key server.key -out server.csr</command>
+</screen>
+
+ <para>
+ It will prompt you enter the passphrase. If you enter the
+ correct passphrase, it will prompt you to enter Company Name,
+ Once you enter all these details, your
+ CSR will be created and it will be stored in the
+ <filename>server.csr</filename> file.
+ Site Name, Email Id, etc.
+ </para>
+ <para>
+ You can now submit this CSR file
+ to a CA for processing. The CA will use this CSR file and issue
+ the certificate. On the other hand, you can create self-signed
+ certificate using this CSR.</para>
+
+ </sect2>
+ <sect2 id="creating-a-self-signed-certificate" status="complete">
+ <title>Creating a Self-Signed Certificate</title>
+ <para>
+ To create the self-signed certificate, run the
+ following command at a terminal prompt:
+ </para>
+<screen>
+<command>openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt</command>
+</screen>
+
+ <para>The above command will prompt you to enter the
+ passphrase. Once you enter the correct passphrase, your
+ certificate will be created and it will be stored in the
+ <filename>server.crt</filename> file. </para>
+ <warning>
+ <para>
+ If your secure server is to be used in a production environment,
you
+ probably need a CA-signed certificate. It is not
+ recommended to use self-signed certificate.
+ </para>
+ </warning>
+ </sect2>
+ <sect2 id="installing-the-certificate" status="complete">
+ <title>Installing the Certificate</title>
+
+ <para>You can install the key file
+ <filename>server.key</filename> and certificate file
+ <filename>server.crt</filename>, or the certificate file issued
+ by your CA, by running following commands at a terminal prompt:
+ </para>
+<screen>
+<command>sudo cp server.crt /etc/ssl/certs</command>
+<command>sudo cp server.key /etc/ssl/private</command>
+</screen>
+ <para>
+ Now simply configure any applications, with the ability to use
public-key cryptography, to use
+ the <emphasis>certificate</emphasis> and <emphasis>key</emphasis>
files. For example, <application>Apache</application> can
+ provide HTTPS, <application>Dovecot</application> can provide IMAPS
and POP3S, etc.
+ </para>
+ </sect2>
+ <sect2 id="certificate-references" status="review">
+ <title>References</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ For more detailed instructions on using cryptography see the
+ <ulink
url="http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html";>SSL Certificates
HOWTO</ulink> by tlpd.org
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://www.pki-page.org/";>The PKI Page</ulink>
contains a list of Certificate Authorities.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The Wikipedia <ulink
url="http://en.wikipedia.org/wiki/Https";>HTTPS</ulink> page has more
information regarding HTTPS.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ For mor information on <emphasis>OpenSSL</emphasis> see the
<ulink url="http://www.openssl.org/";>OpenSSL Home Page</ulink>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </sect2>
+ </sect1>
</chapter>
=== modified file 'generic/server/C/web-servers.xml'
--- a/generic/server/C/web-servers.xml 2007-12-01 19:40:05 +0000
+++ b/generic/server/C/web-servers.xml 2007-12-20 19:34:16 +0000
@@ -412,7 +412,7 @@
The <application>mod_ssl</application> module adds
an important feature to the Apache2 server - the ability to
encrypt communications. Thus, when your browser is
- communicating using SSL encryption, the
+ communicating using SSL, the
https:// prefix is used at the beginning of the Uniform
Resource Locator (URL) in the browser navigation bar.
</para>
@@ -429,240 +429,18 @@
<command>sudo a2enmod ssl</command>
</screen>
</para>
- <sect3 id="certificates-and-security" status="complete">
- <title>Certificates and Security</title>
- <para>
- To set up your secure server, use public key cryptography to
- create a public and private key pair. In most cases, you
- send your certificate request (including your public key),
- proof of your company's identity, and payment to a
- Certificate Authority (CA). The
- CA verifies the certificate request and your identity, and
- then sends back a certificate for your secure server.
- </para>
- <para>
- Alternatively, you can create your own self-signed
- certificate. Note, however, that self-signed certificates
- should not be used in most production environments.
- Self-signed certificates are not automatically accepted by
- a user's browser. Users are prompted by the browser to
- accept the certificate and create the secure connection.
- </para>
-
- <para>
- Once you have a self-signed certificate or a signed
- certificate from the CA of your choice, you need to
- install it on your secure server.
- </para>
- </sect3>
- <sect3 id="types-of-certificates" status="complete">
- <title>Types of Certificates</title>
- <para>
- You need a key and a certificate to operate your secure
- server, which means that you can either generate a
- self-signed certificate or purchase a CA-signed
- certificate. A CA-signed certificate provides two important
- capabilities for your server:
- </para>
-
- <itemizedlist>
- <listitem>
- <para>
- Browsers (usually) automatically recognize the certificate
- and allow a secure connection to be made without prompting
- the user.
- </para>
- </listitem>
- <listitem>
- <para>
- When a CA issues a signed certificate, it is
- guaranteeing the identity of the organization that is
- providing the web pages to the browser.
- </para>
- </listitem>
- </itemizedlist>
-
- <para>
- Most Web browsers that support SSL have a list of CAs whose
- certificates they automatically accept. If a browser
- encounters a certificate whose authorizing CA is not in the
- list, the browser asks the user to either accept or decline
- the connection.
- </para>
- <para>
- You can generate a self-signed certificate for your secure
server, but
- be aware that a self-signed certificate does not provide the same
- functionality as a CA-signed certificate. A self-signed
certificate is
- not automatically recognized by most Web browsers, and a
self-signed
- certificate does not provide any guarantee concerning the identity
of
- the organization that is providing the website. A CA-signed
certificate
- provides both of these important capabilities for a secure server.
- The process of getting a certificate from a CA is fairly
- easy. A quick overview is as follows:
- </para>
-
- <orderedlist>
- <listitem>
- <para>Create a private and public encryption key pair.</para>
- </listitem>
- <listitem>
- <para>Create a certificate request based on the public key.
The
- certificate request contains information about your server and
the
- company hosting it.</para>
- </listitem>
- <listitem>
- <para>Send the certificate request, along with documents
proving your
- identity, to a CA. We cannot tell you which certificate
authority to
- choose. Your decision may be based on your past experiences, or
on the
- experiences of your friends or colleagues, or purely on monetary
- factors.</para>
-
- <para>Once you have decided upon a CA, you need to follow
the
- instructions they provide on how to obtain a certificate
- from them.</para>
- </listitem>
- <listitem>
- <para>When the CA is satisfied that you are indeed who you
claim to be,
- they send you a digital certificate.</para>
- </listitem>
- <listitem>
- <para>Install this certificate on your secure server, and begin
handling
- secure transactions. </para>
- </listitem>
- </orderedlist>
-
- <para>Whether you are getting a certificate from a CA or
generating your own
- self-signed certificate, the first step is to generate a key.
- </para>
- </sect3>
- <sect3 id="generating-a-csr" status="complete">
- <title>Generating a Certificate Signing Request (CSR)</title>
- <para>
- To generate the Certificate Signing Request (CSR), you should
create your
- own key. You can run the following command from a terminal prompt
to create the
- key:
- </para>
-
- <para>
-<screen>
-<command>openssl genrsa -des3 -out server.key 1024</command>
-</screen>
- </para>
-<programlisting>
-Generating RSA private key, 1024 bit long modulus
-.....................++++++
-.................++++++
-unable to write 'random state'
-e is 65537 (0x10001)
-Enter pass phrase for server.key:
-</programlisting>
-
- <para>
- You can now enter your passphrase. For best security, it should
- at least contain eight characters. The minimum length when
- specifying -des3 is four characters. It should include numbers
- and/or punctuation and not be a word in a dictionary. Also
- remember that your passphrase is case-sensitive.
- </para>
-
- <para>
- Re-type the passphrase to verify. Once you have re-typed it
- correctly, the server key is generated and stored in
- <filename>server.key</filename> file.
- </para>
-
- <warning>
- <para>
- You can also run your secure web server without a passphrase.
- This is convenient because you will not need to enter the
- passphrase every time you start your secure web server. But it
- is highly insecure and a compromise of the key means a
- compromise of the server as well.
- </para>
- </warning>
-
- <para>
- In any case, you can choose to run your secure web server without
- a passphrase by leaving out the -des3 switch in the generation
- phase or by issuing the following command at a terminal prompt:
- </para>
-
- <para>
-<screen>
-<command>openssl rsa -in server.key -out server.key.insecure</command>
-</screen>
- </para>
- <para>
- Once you run the above command, the insecure key will be stored
- in the <filename>server.key.insecure</filename> file. You can use this
- file to generate the CSR without passphrase.
- </para>
-
- <para>
- To create the CSR, run the following command at a terminal prompt:
- </para>
-
- <para>
-<screen>
-<command>openssl req -new -key server.key -out server.csr</command>
-</screen>
- </para>
-
- <para>It will prompt you enter the passphrase. If you enter the
- correct passphrase, it will prompt you to enter Company Name,
- Site Name, Email Id, etc. Once you enter all these details, your
- CSR will be created and it will be stored in the
- <filename>server.csr</filename> file. You can submit this CSR file
- to a CA for processing. The CAN will use this CSR file and issue
- the certificate. On the other hand, you can create self-signed
- certificate using this CSR.</para>
-
- </sect3>
- <sect3 id="creating-a-self-signed-certificate" status="complete">
- <title>Creating a Self-Signed Certificate</title>
- <para>
- To create the self-signed certificate, run the
- following command at a terminal prompt:
- </para>
-
- <para>
-<screen>
-<command>openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt</command>
-</screen>
- </para>
-
- <para>The above command will prompt you to enter the
- passphrase. Once you enter the correct passphrase, your
- certificate will be created and it will be stored in the
- <filename>server.crt</filename> file. </para>
- <warning>
- <para>
- If your secure server is to be used in a production environment,
you
- probably need a CA-signed certificate. It is not
- recommended to use self-signed certificate.
- </para>
- </warning>
- </sect3>
- <sect3 id="installing-the-certificate" status="complete">
- <title>Installing the Certificate</title>
-
- <para>You can install the key file
- <filename>server.key</filename> and certificate file
- <filename>server.crt</filename> or the certificate file issued
- by your CA by running following commands at a terminal prompt:
- </para>
- <para>
-<screen>
-<command>sudo cp server.crt /etc/ssl/certs</command>
-<command>sudo cp server.key /etc/ssl/private</command>
-</screen>
- </para>
- <para>
- You should add the following four lines to the
+
+ <para>
+ In order for <application>Apache</application> to provide HTTPS,
+ a <emphasis>certficate</emphasis> and <emphasis>key</emphasis> file
are also needed.
+ For information on generating a key and obtaining a certificate see
<xref linkend="certificates-and-security"/>
+ </para>
+ <para>
+ To configure <application>Apache</application> for HTTPS add the
following four lines to the
<filename>/etc/apache2/sites-available/default</filename>
- file or the configuration file for your secure virtual
- host. You should place them in the
<emphasis>VirtualHost</emphasis> section. They
- should be placed under the <emphasis>DocumentRoot</emphasis> line:
+ file, or the configuration file for your secure virtual
+ host. They should be placed in the <emphasis>VirtualHost</emphasis>
section
+ under the <emphasis>DocumentRoot</emphasis> line:
</para>
<programlisting>
SSLEngine on
@@ -672,30 +450,33 @@
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</programlisting>
-
- </sect3>
- <sect3 id="accessing-the-server" status="complete">
- <title>Accessing the Server</title>
+ <note>
+ <para>
+ The directories <filename>/etc/ssl/certs</filename> and
<filename>/etc/ssl/private</filename> are the
+ default locations. If you install the certifcate and key in
another directory make sure to change
+ <emphasis>SSLCertificateFile</emphasis> and
<emphasis>SSLCertificateKeyFile</emphasis> appropriately.
+ </para>
+ </note>
<para>
- Once you install your certificate, you should restart your
+ Once you install your certificate, and configure Apache, you
should restart your
web server. You can run the following command at a terminal prompt
to
restart your web server:
</para>
<para>
<screen><command>sudo /etc/init.d/apache2 restart</command> </screen>
</para>
- <note><para>
- You should remember and enter the passphrase every time you
- start your secure web server.
- </para></note>
-
- <para>You will be prompted to enter the passphrase. Once you
- enter the correct passphrase, the secure web server will be
- started. You can access the secure server pages by typing
- https://your_hostname/url/ in your
- browser address bar.</para>
-
- </sect3>
+
+ <note>
+ <para>
+ Depending on how you obtained your certificate you may need to
+ enter a passphrase when <application>Apache</application>
starts.
+ </para>
+ </note>
+ <para>
+ You can access the secure server pages by typing
+ https://your_hostname/url/ in your browser address bar.
+ </para>
+
</sect2>
<sect2 id="http-references" status="complete">
<title>References</title>
--
https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy
You are receiving this branch notification because you are subscribed to it.
--
ubuntu-doc-commits mailing list
ubuntu-doc-commits@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits
