Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 377

begin using your secure server, however, you must generate your own key and obtain a certificate
which correctly identifies your server.
You need a key and a certificate to operate your secure server — which means that you can either
generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the
differences between the two?
A CA-signed certificate provides two important capabilities for your server:
• Browsers (usually) automatically recognize the certificate and allow a secure connection to be
made, without prompting the user.
• When a CA issues a signed certificate, they are guaranteeing the identity of the organization that is
providing the webpages to the browser.
If your secure server is being accessed by the public at large, your secure server needs a certificate
signed by a CA so that people who visit your website know that the website is owned by the
organization who claims to own it. Before signing a certificate, a CA verifies that the organization
requesting the certificate was actually who they claimed to be.
Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept.
If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user
to either accept or decline the connection.
You can generate a self-signed certificate for your secure server, but be aware that a self-signed
certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate
is not automatically recognized by most Web browsers and does not provide any guarantee
concerning the identity of the organization that is providing the website. A CA-signed certificate
provides both of these important capabilities for a secure server. If your secure server is to be used in
a production environment, a CA-signed certificate is recommended.
The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
1. Create an encryption private and public key pair.
2. Create a certificate request based on the public key. The certificate request contains information
about your server and the company hosting it.
3. Send the certificate request, along with documents proving your identity, to a CA. Red Hat does
not make recommendations on which certificate authority to choose. Your decision may be based
on your past experiences, on the experiences of your friends or colleagues, or purely on monetary
factors.
Once you have decided upon a CA, you need to follow the instructions they provide on how to
obtain a certificate from them.
4. When the CA is satisfied that you are indeed who you claim to be, they provide you with a digital
certificate.
5. Install this certificate on your secure server and begin handling secure transactions.
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first
step is to generate a key. Refer to
Section 22.8.5, "Generating a Key"
Types of Certificates
for instructions.
351