Normal Web traffic is sent over the
Internet. This means that anyone with access to the right tools, you can snoop
all this traffic. Of course, this can lead to problems, in particular where
security and privacy, it is necessary, as for example in the data bank and
credit card transactions. Secure Socket Layer is used to encrypt the data
stream between a Web server and Web client.

SSL makes use of what is known as
asymmetric cryptography, also known as public key cryptography (PKI). With
public key cryptography are created two keys, one public, and one private.
Anything encrypted with either key can be decrypted only by its key. Therefore,
if the current message or data to be encrypted using the private key of the
server, it can be decrypted only by using the corresponding public key, ensures
that the data would only come from the server.

SSL Certificates
uses public key cryptography to encrypt the data stream to travel over the
Internet, why a certificate is necessary? The technical answer to this question
is that the certificate is not really necessary-data is secure and cannot be
easily decrypted by a third party. The certificate is used, however, a decisive
role in the process of communication.

A certificate signed by a trusted
certification authority (CA), provides its holder is who it claims to be you.
Without a trusted certificate to the signed data can be encrypted, the party
you are communicating with, however, may not be whom you believe. Without
certificates, it would be much more common impersonation attacks.

Step 1: Generate a Private Key

Toolbox is used to generate a RSA
private key & service customers (signing a SSL Certificate request). You can also use to generate a self-signed
certificate that can be used for testing purposes or internal use.

The first step is to create your
private RSA key. This key is a 1024-bit RSA key is encrypted using Triple-DES
and stored in PEM format, so it's readable as ASCII.

Command:

openssl
genrsa -des3 -out server.key 1024

Output:

Generating
RSA private key, 1024 bit long modulus

.........................................................++++++

........++++++

e
is 65537 (0x10001)

Enter
PEM pass phrase:

Verifying
password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate
Signing Request)

Once you generate the private key
can generate a certificate signing request. CSR and then, use one of two
methods. Ideally, CSR will be sent to a certification authority such as
verisign) to verify the identity of the requestor, and issued a signing
certificate or Thawte. The second option is to self-sign, Certificate Signing Request, in the
next section.

Period of CSR generation you will be
prompted to enter a few pieces of information. These are the properties of an
x.509 certificate. Tip of the "common name (for example, your name)".
It is important to be an SSL server's fully qualified domain name of this field
is filled in. If you want to protect this Web site will
https://public.akadia.com and enter public.akadia.com in this prompt. Generate
CSR command, as follows:

Command:

openssl
req -new -key server.key -out server.csr

Output:

Country
Name (2 letter code) [GB]:CH

State
or Province Name (full name) [Berkshire]:Bern

Locality
Name (eg, city) [Newbury]:Oberdiessbach

Organization
Name (eg, company) [My Company Ltd]:Akadia AG

Organizational
Unit Name (eg, section) []:Information Technology

Common
Name (eg, your name or your server's hostname) []:public.akadia.com

Email
Address []:martin dot zahn at akadia dot ch

Please
enter the following 'extra' attributes

to
be sent with your certificate request

A
challenge password []:

An
optional company name []:

Step 3: Remove Passphrase from Key

One of misery-side effect of the
private key is Apache ask oiith pass phrase password every time the Web server
is running. Clearly this is not necessarily as someone not always be around to
type a password in a phrase, such as after the restart, or crash. Mod_ssl
provides the ability to use external program instead of in the beyond-a
built-in phrase, however, this is not necessarily the safest option or. It is
possible to remove the Triple-DES encryption key, and thus no longer need to
type a passphrase.

If the private key is encrypted, it
is very important that this file must be readable only by root user! If your
system is ever disclosed to a third party obtains your private key without
encryption, the certificate corresponding to the need to be revoked. With this
he said, use the following command to remove the pass-phrase from the key:

Command:

cp
server.key server.key.org

openssl
rsa -in server.key.org -out server.key

The newly created server.key file
has no more passphrase in it.

Output:

-rw-r--r--
1 root root 745 Jun 29 12:19 server.csr

-rw-r--r--
1 root root 891 Jun 29 13:22 server.key

-rw-r--r--
1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed
Certificate

In this step, you create a
self-signed certificate because you or you don't plan on the need your
certificate signed by a certification authority, or want to test the new SSL
application while the CA is the signature of the certificate. This temporary
certificate will generate an error in the client browser to the effect that the
CA signature is you know and trust.

To generate a temporary certificate
which is good for 365 days, issue the following command:

Command:

openssl
x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Output:

Signature
ok

subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia
AG/OU=Information

Technology/CN=public.akadia.com/Email=martin
dot zahn at akadia dot ch

Getting
Private key

Step 5: Installing the Private Key
and Certificate

Installed Apache with mod_ssl, it
creates several libraries in the Apache config. Location of this directory will
differ depending on how Apache compiled.

Config code:

cp
server.crt /usr/local/apache/conf/ssl.crt

cp
server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled
Virtual Hosts

http-ssl.conf:

SSLEngine
on

SSLCertificateFile
/usr/local/apache/conf/ssl.crt/server.crt

SSLCertificateKeyFile
/usr/local/apache/conf/ssl.key/server.key

SetEnvIf
User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

CustomLog
logs/ssl_request_log \

   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\" %b"