Using Pre-Existing Keys And Certificates - Red Hat ENTERPRISE LINUX 4 System Administration Manual
Hide thumbs
Also See for ENTERPRISE LINUX 4:
- Manual (410 pages) ,
- Administration manual (200 pages) ,
- Installation manual (110 pages)
Table of Contents
Advertisement
Chapter 25. Apache HTTP Secure Server Configuration
A secure server uses a certificate to identify itself to Web browsers. You can generate your own
certificate (called a "self-signed" certificate), or you can get a certificate from a CA. A certificate from a
reputable CA guarantees that a website is associated with a particular company or organization.
Alternatively, you can create your own self-signed certificate. Note, however, that self-signed
certificates should not be used in most production environments. Self-signed certificates are not
automatically accepted by a user's browser — users are prompted by the browser to accept the
certificate and create the secure connection. Refer to
information on the differences between self-signed and CA-signed certificates.
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you must
install it on your secure server.
25.4. Using Pre-Existing Keys and Certificates
If you already have an existing key and certificate (for example, if you are installing the secure server
to replace another company's secure server product), you can probably use your existing key and
certificate with the secure server. The following two situations provide instances where you are not
able to use your existing key and certificate:
• If you are changing your IP address or domain name — Certificates are issued for a particular IP
address and domain name pair. You must get a new certificate if you are changing your IP address
or domain name.
• If you have a certificate from VeriSign and you are changing your server software — VeriSign is
a widely used CA. If you already have a VeriSign certificate for another purpose, you may have
been considering using your existing VeriSign certificate with your new secure server. However, you
are not be allowed to because VeriSign issues certificates for one specific server software and IP
address/domain name combination.
If you change either of those parameters (for example, if you previously used a different secure
server product), the VeriSign certificate you obtained to use with the previous configuration will not
work with the new configuration. You must obtain a new certificate.
If you have an existing key and certificate that you can use, you do not have to generate a new key
and obtain a new certificate. However, you may need to move and rename the files which contain your
key and certificate.
Move your existing key file to:
/etc/httpd/conf/ssl.key/server.key
Move your existing certificate file to:
/etc/httpd/conf/ssl.crt/server.crt
After you have moved your key and certificate, skip to
If you are upgrading from the Red Hat Secure Web Server, your old key (httpsd.key) and certificate
(httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so that
the secure server can use them. Use the following two commands to move and rename your key and
certificate files:
256
Section 25.5, "Types of Certificates"
Section 25.9, "Testing The
for more
Certificate".
Advertisement
Table of Contents
