internet web hosting

Secure Sockets Layer (SSL) provides a level of security and privacy for those wanting to conduct secure transactions over the Internet. Introduced to the Internet market by Netscape Communications, the SSL protocol protects HTTP transmissions over the Internet by adding a layer of encryption. This insures that your transactions are not subject to "sniffing" by a third party.

SSL provides visitors to your Web site with the confidence to communicate securely via an encrypted session. For companies wanting to conduct secure e-commerce, such as receiving credit card numbers or other sensitive information online, SSL is essential.

Accessing Your Secure Server

You can access all of the web content on your VPS v2 Virtual Server (documents, images, scripts, etc) using SSL by typing the https:// prefix rather than the http:// prefix. For example, your secure Web site can be accessed like this:

https://your_company.com/

You can send the data collected by a form on your Web site to a CGI script using SSL by including something like this in form page HTML:

<form method="POST" action="https://your_company.com/cgi-bin/script.cgi">

Be sure that you do not reference embedded document content (images, etc) insecurely by using the http:// prefix, like this:

<img src="http://your_company.com/image.gif">

It is possible to use SSL in conjunction with other Internet protocols.

Identifying Your Server

The Secure Server (httpsd) employs a digital certificate embedded in the operating system kernel. While SSL handles the encryption part of a secure HTTP transaction, the protocol is not complete without a Server ID, also known as a digital certificate.

A digital certificate provides a legal basis for transactions on the Internet. Simply put, it is an electronic ID or "credibility card" that establishes your credentials to potential customers doing business on the Web. It assures them that your Web site is legitimately yours and not an impostor's.

A digital certificate contains: your name, a serial number, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real, and a date of expiration.

You may use our digital certificate without any incurring additional costs, but if you are serious about establishing a secure site, you should obtain your own. Because the VPS v2 Virtual Server has only one IP address, it can only support one digital certificate. Therefore, virtual subhosts that share the same VPS v2 Virtual Server must also share the same digital certificate.

Using a Certificate Other than Your Own

It is not necessary to order your own digital certificate because you can use the default digital certificate included with your Secure Server. As stated earlier, the digital certificate includes information about the ownership of the certificate. When your clients visit your secure Web site, their browser (e.g. Navigator, MSIE) checks the domain name on the certificate to see if it matches the site name included in the URL. If a match is not found, users are notified that this is a potential security issue.

In reality, the domain name mismatch in no way hinders the security of the transactions. The warning simply notes that the domain name included with the digital certificate ownership information does not match the domain name of the Web site requested. The transaction is still secure. Even though the warning is couched in "unlikely" terms, many of your clients may feel uncomfortable conducting a transaction after such a warning is generated.

We developed a way around the warning (for all browsers which support signed certificates including MSIE 4.0+ and Netscape 3.0+) that still ensures integrity of the secure transactions. The default digital certificate installed with your secure server is owned by our company but instead of "2kweb.net" includes the domain name "securesites.com". When you order your secure server, Enetrics Communicationssets up a canonical name in the securesites.com zone file for your account. This canonical name has the form

account-name.securesites.net.

For example, if the account name for your VPS v2 Virtual Server is "surfutah", then a canonical name "surfutah.securesites.net" is set up for your use. You can then access your secure server without generating a warning by referencing "https://surfutah.securesites.net". An example of this reference is illustrated below:

<form method="POST" action="https://surfutah.securesites.net/cgi-bin/order.cgi">

The default certificate is a generic way to provide secure access to your VPS v2 Virtual Server. If you want to use your own domain name to provide secure access to your server, however, you need to get a custom digital certificate. This not only provides secure access to your VPS v2 Virtual Server, it provides an additional level of customer confidence by using your own domain name in the secure area of your site.

Note: Only one digital certificate can be used on a VPS v2 Virtual Server. This means that a custom digital certificate will disable your ability to use the securesites.com certificate. This also means that any other domain on the server will not be able to have a digital certificate.

Ordering Your Own Digital Certificate

The default certificate is a generic way to provide secure access to your VPS v2 Virtual Server. However, if you want to use your own domain name to provide secure access to your server, you must get a custom digital certificate. A digital certificate provides secure access to your VPS v2 Virtual Server and an additional level of customer confidence by using your own domain name in the secure area of your Web site.

    1. Create a signing request and private key. In order to obtain a signed Digital Certificate, you must create a Certificate Signing Request, or CSR. At the same time your CSR is created, you also generate a private key. The CSR is used by the signing authority to create a signed digital certificate which works with your private key to provide secure access to your Web site.
      Among the information that you will need to supply before generating the CSR and private key is the PEM passphrase. This is a security phrase that—like a password—ensures that only you can use your digital certificate. Use a phrase you can easily remember but which is difficult to guess. You will enter the passphrase in the future, to install your signed certificate.
      1. Connect to the VPS v2 Virtual Server using SSH and type:
        # openssl req -new
      1. Provide the information requested. Most questions are self explanatory, except that “common name” refers to the domain name that you want to use when accessing your site using SSL (ie domain.com or www.domain.com or cname.domain.com or *.domain.com).When you have entered all the data, your CSR will be shown.
      2. Save the CSR by copying and pasting it into a file on your local computer. You will need it when you are ordering your SSL certificate from the Signing Authority's Web site.
      3. In the directory where you were when you ran the openssl command, you will also find a new file called privkey.pm. This is your private key, which you will need at a later time. The lines containing BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY are part of the key.
    2. Obtain the signed certificate from a signing authority. There are a number of signing authorities such as GeoTrust, GlobalSign, and VeriSign. Decide which signing authority you want and order your signed certificate.
      The ordering process for obtaining a signed digital certificate is different for each vendor and certificate type. There are, however, some things that will remain the same throughout all of them. Here are a couple of useful tips for ordering your certificate.
      • At some point in the ordering process, you will be asked for a Server Type or the Server Software you are running. You will need to select Apache-SSL or Apache with OpenSSL.
      • When you are prompted to enter the CSR, be sure to paste it exactly as it appeared on the screen when you generated it, including the top and bottom lines.
      • You will be required to enter information about your company, including the official company name and address. You will also be required to mail a copy of a number of documents to prove you really are who you claim to be.
  1. After you have a obtained a signed digital certificate, you need to install it and set up SSL to use your certificate and private key instead of the default.
    1. When you received your certificate, you probably saved it to a file on your local computer. Copy the file (in ASCII format) onto your VPS v2 Virtual Serverusing FTP and save it in /usr/local/certs with the name ssl.cert.
    2. After the certificate is on your server, get the private key that you generated at the same time as you generated the CSR, and copy it to /usr/local/certs with the name ssl.pk. Keep a copy of the private key in a different location as well, so if you make a mistake you don't lose your private key. You may want to create a directory on your server and store a copy of both your private key and the certificate until you are certain that the new certificate is working properly.
    3. Go to /usr/local/apache/httpd.conf and add the following two lines:
      SSLCertificateFile /usr/local/certs/ssl.cert
      SSLCertificateKeyFile /usr/local/certs/ssl.pk
    4. With both files in place, connect to your VPS v2 Virtual Server using SSH and type:
      % openssl rsa -in ssl.pk -out ssl.pk
      This command removes the default encryption on your key, and makes it useable by the Apache Web Server.
    5. With the key decrypted, type:
      % restart_apache
      to restart the Web server using your new certificate. You can tell if your private key has been decrypted or not by looking at the file. When your key was generated, the first few lines looked similar to the following.
      -----BEGIN RSA PRIVATE KEY-----
      Proc-Type: 4,ENCRYPTED
      DEK-Info: DES-EDE3-CBC,BCC23A5E16582F3D
      hfWyPkea3gnVCHCZJ/zgQpCH9RZF7WjYXGYohdbfkJY0ETLwXaqjvnNHQlLomwIt
      After decrypting your key, the key should have changed to look similar to the following:
      -----BEGIN RSA PRIVATE KEY-----
      MIICXQIBAAKBgQCot9aa9R38QevFSWqU718VFxqEDcY4gJfdZ6sBy282jdgCVcwU
      q92tQ5V3amQanoSIWxI/O9GYm5kJSo3b2qGib2sqLiHZFav/bRjL5IDFOMwcSTyp
    6. Check to make sure the new certificate is working by connecting to the domain your certificate is set up to use, via HTTPS. For example, if your domain name were www.my-domain.name, you would type the following into your browser's location bar:
      https://www.my-domain.name
      If the page loads without any errors, find the lock icon on your browser and click on it (depending on your browser, you may need to double-click). This will bring up the certificate information, or a window that lets you view certificate information. Check to see that the certificate is using the correct domain name and has the correct information.

For More Information
For more information about the topics discussed in this chapter, see the following pages on the Enetrics Communications Web site.

Official Apache Web site

Documentation on Directives
Additional Apache Sources

[Previous] [Section Table of Contents] [Handbook Main Table of Contents] [Proceed to Chapter 8]
Hosting  ::  Web Design  :: Server Administration  ::  Tech Support  ::  Contacts
Data Centers  ::  Tier I Global IP Network  ::  SLA/Contracts  ::  Search  ::  Account Login
 
© Copyright 1996-2009 by Enetrics Communications, All Rights Reserved.
PGP Documentation is Copyright 1990-1997 Pretty Good Privacy, Inc.
FrontPage and Microsoft are Registered Trademarks of Microsoft Corporation.
All other Trademarks are the property of their respective owner(s).

Acceptable Use Policy :: Privacy Policy		   Business Growth