Brian Tanaka

Published Articles
This article originally appeared in the April 1998 issue of Sys Admin Magazine.

Acquiring and Installing a Server Certificate

Brian Tanaka


As the demand for "secure web browsing" grows so does the probability that you'll need to administer an SSL-enabled web server. In this article I will explain one critical element of configuring an SSL-enabled web server: acquiring and installing a server certificate.


Server Certificates and SSL

SSL is too complex to be explored in detail in a how-to article such as this one. However, I will outline briefly the basic concepts. I encourage you to refer to the resources available at the end of this article.

If I use a web browser to view web pages I am not terribly concerned about security. However, if I exchange sensitive data (such as credit card information) with a web server I am very concerned about security. Specifically, I want:

  1. to trust that I am exchanging my information with the correct server rather than an impostor, and

  2. to know that the data is encrypted while in transit.

In cryptographic terms, I want "server authentication" and "data confidentiality". SSL, or Secure Sockets Layer, is designed to provide these two security features. (It addresses other security concerns too but these are two of the most important.)

SSL-enabled web servers must have a server certificate. Roughly stated, a server certificate is a form of digital identification and is issued by a Certificate Authority (CA).

A server certificate requires a key pair. In "public key cryptography" (which SSL uses) there are two digital keys: a public and a private key. Together they form a key pair. What is encrypted with one key only the other can decrypt. As its name implies, the public key can be made publicly available. The private key must remain secret.

To summarize: SSL is intended to increase security between web clients and web servers and you need a server certificate to use SSL.

To acquire a server certificate you need to:

  • Generate a key pair and Certificate Signing Request (CSR) on your server

  • Submit the CSR to a Certificate Authority (CA)

  • Install the server certificate

  • Enable SSL on your web server

I will explain these steps in the remainder of this article.


A Quick Word About Cost

Before you begin the process of acquiring a server certificate, please note that the monetary cost is sometimes overlooked when planning to use SSL. The CA will probably charge for their services. Research the current cost of CA services and make sure the cost is within your organization's budget. Also note that the costs are recurring.


Generating the Key Pair

You generate the key pair using the interface provided by your web server software. Let's look at a specific example.


Example of Generating the Key Pair Using Netscape Enterprise Server

In this example, I am using Netscape Enterprise Server 3.0. If you need more detail than what is provided in the steps below, please consult the Netscape Enterprise Server documentation.
  1. Log in as root.

  2. cd to bin/admin/admin/bin in the server root directory.

  3. Run ./sec-key.

  4. You will be prompted for an alias name. The alias will refer collectively to the key pair and the certificate file (allowing you to operate on them as a set and also allowing you to have multiple sets). The most common choice is to name it after the server. So, in my example, I name it "gfibbers". My key pair file will be /alias/gfibbers-key.db.

  5. In the next step you will be prompted to type keystrokes for a while in order to add some unpredictability to the random number used to create your keys. Do so until the progess meter stops.

  6. Next you will be prompted for a password for the key pair file. It is important to pick a good strong password. A strong password will not contain any words from any language, will be at least eight characters long, and will contain upper and lowercase letters as well as non-alphabetic characters such as punctuation marks. Don't forget the password since you will use it each time you start your SSL-enabled web server.

Now you're done. The key pair file has been created and stored on disk.

It is extremely important to make a backup copy of your key pair and password. It is equally important to secure both copies. If you lose or divulge your private key or password you will need to revoke your certificate and start over.

Next we'll create the CSR.


Generating the CSR

Think of the CSR as an application for a certificate. You will submit the CSR to the CA and they in turn will issue a server certificate to you.

There are a number of CA's in the world, but I'll use VeriSign for the examples in this article.

Before you go any further, it is wise to gather the information you will need in the next steps. There are two groups of information you will need: one for the CSR generation and one for VeriSign's application process.

For CSR Generation:

  • Key Pair File Password
    (You already know this since it was the one you chose when you generated the key pair.)

  • Requestor name
    (That's you!)

  • Telephone number
    (Your phone number. This is the number Verisign will use to contact you by voice before issuing your certificate.)

  • Common name
    (The fully qualified domain name of your server, e.g. gfibbers.intuit.com.)

  • Email address
    (Your email address. One handy trick you might use is to have a mail alias for this purpose so that even if the person responsible for certificate management changes, the email address on file at VeriSign will still be correct.)

  • Organization
    (In my case it would be Intuit Inc.)

  • Organizational Unit
    (You can use this field to further distinguish the group that is using the certificate. For instance, "Online Commerce Division" or "Information Services". Choose wisely; this information will be a part of your certificate and is viewable by client-side users.)

  • Locality
    (Your city. In my case it would be Mountain View.)

  • State or Province
    (Your state. In my case it would be California. Note that you should not abbreviate.)

  • Country
    (Use the 2-character ISO format country code. Mine is US.)

For VeriSign:

  • Your server software vendor
    (In this example it would be Netscape.)

  • Challenge Phrase
    (Pick a phrase that's easy to remember but hard for someone else to guess. You'll use this if you need to request VeriSign to revoke the certificate in the future.)

  • Contact information
    (This can be a bit tricky. You need three contacts: a technical contact, an organizational contact, and a billing contact. The technical contact must be authorized to maintain the server. In most cases this will be you. The organizational contact must be an employee of your organization and be "authorized to make binding agreement" to Verisign's legal agreement. This person should be different from the technical contact. The billing contact person will receive invoices and can be the same person as either of the other two contacts.)

  • How you will pay for the Digital ID
    (Credit card, purchase order, or check. Credit card is the fastest.)

  • Your Dun & Bradstreet D-U-N-S Number
    (This optional item also speeds up your order with Verisign as they use it to verify your corporate identity.)

Now that you've collected all of the above information, you are ready to generate your CSR. As in the case of the key pair generation, your web server software should provide a way to generate the CSR. Let's look at an example.


Example of Generating the CSR Using Netscape Enterprise Server

As in the example of generating your key pair above, I am using Netscape Enterprise Server 3.0 in this example, and you may refer to the Netscape Enterprise documentation for further details.
  1. Use your web browser to connect to the Server Administration page. In my example I would connect to http://gfibbers.intuit.com:9999. (Use the port you specified as the administrative port when you originally installed your server.)

  2. Choose Keys & Certificates. From that page, choose Request Certificate.

  3. A form will be presented to you. On this form, specify whether this is a new certificate or a renewal of an existing certificate. In this example, I'm applying for a new one, so I'll check that radio box.

  4. The next part of the form has a link to a "list of available certificate authorities". You may wish to view that page for an idea of what's available, but in this example I've already decided on VeriSign, so I'll skip that step.

  5. The next section allows you to either submit the request to your CA via email or via a web site. The trouble is that I don't want either of these two methods. VeriSign does not want the CSR sent to them via email since they want you to complete the enrollment procedure on their web pages (as you'll see in a bit), and the "submit via CA URL" method assumes that the CA is using Netscape Certificate Server. This is useful if you are submitting, say, to an in-house CA using that particular software, but that isn't the case in this example. What I really want is to output the request to a file. So, in order to get the file, I select "CA email address", but I fill in the address field with my own address. In this case, btanaka@intuit.com. When I'm done with this form, the CSR will come straight to me.

  6. In the next step, select the alias you created when you generated the key pair and enter the password you defined earlier.

  7. Lastly, fill in the remaining fields with the information you gathered beforehand (e.g. your name, phone number, server's common name, et cetera).

  8. When you've made sure the values are correct, click on the OK button at the bottom of the page. A subsequent page will ask you to verify that the information is correct.

  9. Since I specified my email address as the destination, I will receive the CSR in my mailbox. I'll save it to a file for use in the next section.


Submitting the CSR to a Certificate Authority

Now that you have the key pair and CSR you're ready to submit the CSR to a CA.

Since the CA is attesting to the binding between an identity and a public key, it must first satisfy itself that you are who you claim to be. When the CA is satisfied that everything is in order, it will issue you a certificate. The certificate will contain server identity information, your public key, other information (e.g. validity dates), and the CA's digital signature.

There are a number of ways of submitting the CSR, but let's look at a specific example that fits with our earlier steps.


Example of Submitting the CSR to VeriSign

VeriSign provides a web front-end to their CSR submission procedure. Here's how to use it:
  1. Aim your trusty web browser at http://digitalid.verisign.com. This is the main page of the VeriSign Digital ID Center. From this page you can apply for a digital ID, manage existing ID's, check on the status of your request, check the validity of an ID, et cetera.

  2. Click on Enroll.

  3. In the Organizations column, click on Web Servers.

  4. Choose the statement that best describes you. In this example, "I want a Secure Server Digital ID to run SSL on my server".

  5. Now select the proper server software vendor. In this example, I'll choose "Netscape" and on the next page I'll choose the correct Netscape product.

  6. The next page gives you an overview of the process. Part of the page describes what information you should have beforehand. Since you've already gathered all of the information you're ready to go. It would be wise to read over this page anyway, however, since it may contain important information that was not available or required at the time this article was written. Click on the Begin button.

  7. Ah, at last you're ready to submit the CSR. Open the mail message with the CSR in it. A CSR looks like this: 
           -----BEGIN NEW CERTIFICATE REQUEST----- 
       MIIBJTCB0AIBADBtMQswCQYDVQQGEwJVUzEQMA4GA1UEChs4lBMHQXJpem9uYTEN 
       A1UEBxMETWVzYTEfMB0GA1UEChMWTWVs3XbnzYSBDb21tdW5pdHkgQ29sbGVnZTE 
       A1UEAxMTd3d3Lm1jLm1hcmljb3BhLmVkdTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYC 
       QQDRNU6xslWjG41163gArsj/P108sFmjkjzMuUUFYbmtZX4RFxf/U7cZZdMagz4I 
       MmY0F9cdpDLTAutULTsZKDcLAgEDoAAwDQYJKoZIhvcNAQEEBQADQQAjIFpTLgfm 
       BVhc9SQaip5SFNXtzAmhYzvJkt5JJ4X2r7VJYG3J0vauJ5VkjXz9aevJ8dzx37ir 
       3P4XpZ+NFxK1R= 
       -----END NEW CERTIFICATE REQUEST-----

  8. Copy the CSR and paste it in the edit box provided.

  9. The next page will show the values of the fields you filled in when you generated the CSR. Double check them.

  10. Fill out the rest of the fields with the information you gathered beforehand.

When you're done filling out the necessary forms you will need to wait for the CA to verify your information. The CA may contact you by phone to make last minute verifications before releasing your certificate.

When all is in order, the server certificate will be issued to you. Usually it is sent via email to the address you specified earlier. When you receive it, you are then ready to install the certificate on your server and enable SSL.


Installing the Server Certificate and Enabling SSL

As in the case of generating the key pair and generating the CSR, your web server vendor will most likely have provided a way of installing the certificate and enabling SSL. Let's look at an example.


Example of Installing the Server Certificate and Enabling SSL using Netscape Enterprise Server

Again, this example uses Netscape Enterprise Server 3.0 and additional information is available in the Netscape Enterprise documentation.
  1. Use your web browser to connect to the Server Administration page. In my example I would connect to http://gfibbers.intuit.com:9999. (Use the port you specified as the administrative port when you originally installed your server.)

  2. Choose Keys & Certificates. And from that page, choose Install Certificate.

  3. A form will be presented to you. On this form, specify whether this is a new certificate or a renewal of an existing certificate. In the example, I'm applying for a new one, so I'll check that radio box.

  4. Select This Server.

  5. Select Message Text (with headers).

  6. Paste the certificate issued to you by the CA in the edit box. Make sure that the text of the certificate is not mangled in any way. I once had trouble with spaces appended to each line. If the text is corrupted, the process will fail. Also, be sure you've included the "Begin Certificate" and "End Certificate" lines.

  7. Select the alias you created when you generated the key pair originally.

  8. Click on OK.

  9. You will be asked whether or not you want to add the certificate. Click on Add. Now the certificate will be stored in the file /alias/-cert.db. Since, in this example, my alias is "gfibbers", my certificate will be stored in /alias/gfibbers-cert.db.

Now that the certificate is installed, you can proceed to the next step and turn on SSL.

  1. Go back to the main Server Administration page and click on Admin Preferences.

  2. Click on Encryption On/Off.

  3. Use the radio button to turn encryption on.

  4. Select the alias you created earlier. In this example, I'll select "gfibbers".

  5. Click on OK. You can now set any security preferences you want.

  6. When you're done, you must stop and start the web server. Remember that you will be prompted for the key pair password when you try to start it. (See? I really did mean that you'll want to remember your password!)

Now that you have enabled SSL, users must use https instead of http to access your server. For instance, instead of http://gfibbers.intuit.com they will have to use https://gfibbers.intuit.com. Also note that the standard port for SSL is 443. If you specified port 443, then users do not need to specify it in the URL since it is assumed. But, if you chose some other port, then they will need to specify the port in the URL. For instance, if I chose port 4001, then they will need to use https://gfibbers.intuit.com:4001 to access the site.


Finishing Up

You may wish to change the parameters for SSL. For instance, you can specify which version of SSL to use (version 2 or version 3 at the time of this writing), specify which cipher suites to use, and so on. Consult your web server software vendor's documentation for more details.

After turning on SSL, I like to test the web server by comparing browser access via http and https URLs. When you successfully load a page via SSL, use your browser to view the certificate you installed. For instance, in Netscape Navigator you can select Page Info under the View menu and the lower pane in the subsequent window will show the certificate info including the length of the key, the distinguishing information about the server and the organization that controls it, who issued the certificate, the range of dates during which the certificate is valid, et cetera.

That reminds me, certificates have a validity date range. Before the starting date and after the ending date the certificate is not valid, and client software should reject it. Usually the operational period is one year, but it may be longer or shorter. Because of this, add another item to your ongoing maintenance list: certificate renewal. Find out how your CA's renewal process works and be prepared to renew well in advance of the certificate's expiration date.

Your web server is now SSL enabled. And since it never hurts to know more about the technology you manage, I list the following resources for further reading.

For Further Reading:

Netscape's SSL Documentation:
http://home.netscape.com/assist/security/ssl/index.html

SSL Documentation provided with Netscape Enterprise Server:
http://[yourhost]:[your admin serv port]/admin-serv/manual/ag/security.htm

Verisign:
http://www.verisign.com

Verisign Digital ID Center:
http://digitalid.verisign.com

Verisign Information Desk:
http://digitalid.verisign.com/ask_veri.htm

Apache-SSL
http://www.apache-ssl.org/

Web Security & Commerce
By Simson Garfinkel with Gene Spafford
1st Edition June 1997
1-56592-269-7

Practical UNIX & Internet Security, 2nd Edition
By Simson Garfinkel & Gene Spafford
2nd Edition April 1996
1-56592-148-8

###