7. Managing Your Keys And Server Certificates

---

Private keys and server certificates are essential elements of the SSL protocol. To secure your server with Covalent SSL, you need a server certificate and private key:

• The server certificate and its corresponding private key work together.
• The SSLCertificateFile and SSLCertificateKeyFile directives in the Apache configuration file must point to the server certificate and its key files.
• The server certificate should be digitally signed by a Certificate Authority (CA).
• If you are using Apache's virtual host feature, each virtual host you want to secure must have its own server certificate and private key.

For details about how encryption, keys, certificates, and other security features work, see `Understanding SSL Security Features'.

The Covalent SSL Certificate and Key Management Tool

The Covalent Fast Start Server provides the Covalent SSL Certificate and Key Management Tool to automate many of the tasks associated with managing your server certificates and private keys.

Overview of Options

Generate Certificate and Key

Use this option to generate a private key and temporary server certificate. The private key and temporary server certificate are always generated together because the certificate contains the corresponding public key. For asymmetric encryption to function, the public and private key must match.

Self Sign Certificate

Use this option to self-sign the temporary server certificate. The temporary certificate is signed with your server's private key and is valid for 30 days. Browsers will not trust the temporary certificate, but you can use it to verify certificate contents and test secure HTTPS connections to your site.

Generate Certificate Signing Request

Use this option to generate a Certificate Signing Request (CSR) to submit to a Certificate Authority (CA). The CSR is an unsigned version of the server certificate.

Install CA Signed Certificate

After the Certificate Authority (CA) signs your Certificate Signing Request (CSR), use this option to install it. Once you install the CA-signed certificate, you are ready to conduct secure transactions.

Decrypt RSA Key

For security reasons, the private key is stored encrypted. Each time you start the server, you must enter a pass phrase to decrypt the key. You can use this option to decrypt the key and eliminate the pass phrase.

CAUTION!
Decrypting the key can reduce your security. The decrypted key is stored read-only by root, so it is only as secure as your root login.

Encrypt RSA Key

If you are storing a private key decrypted and decide you want to store it encrypted, use this option to re-establish a pass phrase and encrypt the key. You can also use this option in combination with the Decrypt RSA Key option to change a key's pass phrase.

Starting the Covalent SSL Certificate and Key Management Tool

1. Change to the /path/to/ssl1.5/bin directory.
2. Start the Covalent SSL Certificate and Key Management Tool.

   For the graphical interface, execute:

   ./sslctl

   The main screen displays:

   

   For the text interface, execute:

   ./sslctl --textmode

   The main menu displays:

   Welcome to the Covalent SSL Certificate and Key Management Tool =============================================================== Choose an action : (1) Generate Certificate and Key (2) Self Sign Certificate (3) Generate Certificate Signing Request (4) Install CA Signed Certificate (5) Decrypt RSA Key (6) Encrypt RSA Key (7) Exit Selection? -> 1

3. Select the appropriate option as detailed in the following sections:

Generating and Testing a Private Key and Server Certificate

1. From the Covalent SSL Certificate and Key Management Tool, select the Generate Certificate and Key option.
2. Enter the name of the server you want to certify. The name you enter is used to create the key and server certificate file names.
3. Select the size of your private key. Your choice is 512 or 1024 bits. A key size of 1024 bits is recommended.
4. Enter and confirm a pass phrase for your private key.
5. You are prompted to define the information for your server certificate. This information identifies your organization and consists of the following:
   • Common Name The name of your Web server as it appears in the server's URL (for example, www.covalent.net). This name must be identical to the fully-qualified domain name of the server.
   • Organization Name This organization must own the domain name that appears in the Common Name. Do not abbreviate.
   • Organization Unit Name Usually the name of the department or group using the certificate.
   • Locality Name Usually the name of the city of your organization's home office.
   • State or Province Name This is the name of the state or province of your organization's head office. Do not abbreviate.
   • Country Name The two-letter ISO abbreviation for your country.
   • Email Address The e-mail address of your technical contact person.
6. Covalent SSL uses random data to generate your key. This process may take some time:
   • The server certificate is stored in the directory /path/to/ssl1.5/certs and is named yourserver.domain.cert (for example, www.covalent.net.cert).
   • The key is stored in the directory /path/to/ssl1.5/keys and is named yourserver.domain.key (for example, www.covalent.net.key).
7. Modify the Apache configuration file if necessary.

   If you are securing the main server and using the included httpsd.conf, the file is configured correctly by default. No modifications are necessary.

   If you are securing an additional virtual host, you must include two <VirtualHost> containers for the secure site in the configuration file:

   • Include a virtual host for HTTP requests listening on port 80.
   • Include an SSL virtual host for HTTPS requests listening on port 443. The HTTPS server must use an IP-based address and should include the SSLCertificateFile and SSLCertificateKeyFile directives.
8. Run the server with the key and temporary server certificate.

   If your server is running, stop the server by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl stop

   Start the server with Covalent SSL by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl startssl

   During server start-up, you will be prompted to enter the pass phrase for the server certificate.

9. To test your certificate, start a browser and go to https://yourserver.domain/

   The browser will warn you that it does not recognize the signature on your certificate. You should choose to accept the certificate anyway. The browser should display the certificate.

   If you have problems starting your server or viewing your server certificate, refer to `Troubleshooting'.

10. Make a backup of your server certificate and private key and store them in a safe place.

Obtaining a Signed Server Certificate From a Certificate Authority (CA)

Generating and Submitting a Certificate Signing Request

1. Generate a private key and temporary server certificate by following the procedures described in `Generating and Testing a Private Key and Server Certificate'.
2. Select a Certificate Authority (CA) and check their Web site for server certificate signing procedures. See `Well-known Certificate Authorities' for a number of well-known CAs and their Web site URLs.

   The CA will request specific information so that it can verify your organization and site. For an example, see `Obtaining Your Free Certificate Signing From Entrust, Inc', which describes some of the procedures of obtaining a server certificate signing from Entrust, Inc.

   By reviewing the CA's procedures, you can gather this information before you submit your CSR.

3. From the Covalent SSL Certificate and Key Management Tool, select the Generate Certificate Signing Request option.
4. You will be prompted to select a server certificate to be signed.
5. Next select whether you will send this Certificate Signing Request (CSR) to VeriSign, Inc. VeriSign requires a special format for the CSR. Covalent SSL automatically generates the correct format CSR.
6. Enter the pass phrase you used to encrypt the key that corresponds to this server certificate.
7. You will be prompted to define the information for your CSR. This information is the same data you provided when you created your server certificate. It identifies your organization and consists of the Common Name of your Web server, the Organization Name, the Organization Unit Name, the Locality Name, the State or Province Name, the Country Name (two-letter ISO abbreviation), and the Email Address of your technical contact person. In addition, you must provide:
   • Webmaster Email Address The e-mail address of the administrator of your Web site.
   • Webmaster Phone Number The phone number of the administrator of your Web site (in international format, for example, +1-415-536-5210).
8. You will then be prompted to designate a directory and file name for the generated CSR, for example /root/cert-2507. When you complete your CA's on-line submission form, copy the CSR from this file and paste it into the CA's form.
9. Covalent SSL saves the CSR to the file you designated. A Certificate Signing Request looks similar to this:

   Webmaster:      webmaster@yourserver.domain Phone:          +1-415-536-5210 Server:         Covalent SSL secured Apache ----BEGIN CERTIFICATE REQUEST----- MIIB8TCCAVoCAQAwgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMSQwIgYDVQQKExtDb3ZhbGVudCBUZWNo bm9sb2dpZXMsIEluYy4xCzAJBgNVBAsTAlFBMR0wGwYDVQQDExRyb24uc2ZvLmNv dmFsZW50Lm5ldDEiMCAGCSqGSIb3DQEJARYTcmxldW5nQGNvdmFsZW50Lm5ldDCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArZViUjNpK10hIKPBjVB6b9bc+4Y3 Kgg97gFl+uaXOdlqgHdWeCWnzVWaHXeQUnCLV0s8BJ9+IkRZ65nk2G6VYD/PAqsA RglRmQyDnIQb88HOR1V6v/F8jJaGMuQuFMYSisyEYhRaTMYne1xUFtwKLsd+qRUp BY053544Gk75ut0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAHSLNBk1EZeKMa/j kj3NKN+z89pTga+HbnxxswhXrKsCSfUWNNSQvHo6iYAzykTwBf+SiQ9JEGOXdMmG GcBy55Luo5WeyXk49CZmkwbPXlQLSD4gcAMg6VOeVEvXOz/gxtyeH++XVw9qFaXI q5HWjEdw1Ter1vYcDQP4WxXUX9ml -----END CERTIFICATE REQUEST-----

10. Go to your CA's Web site and complete their on-line submission form.

    Note
    When the CA's on-line form requests the CSR, copy the CSR from the file. Start with ----BEGIN CERTIFICATE REQUEST----- and end with -----END CERTIFICATE REQUEST----- (making sure to include everything in between). Paste this into the CA's form.

11. After you have provided the CA with the required information and collateral, a signed server certificate and chain certificate files should arrive via email within 3-5 working days.

    It will be delivered to the email address you designated as your Technical Contact.

Installing and Testing a CA-signed Server Certificate

1. After you receive your CA-signed Server Certificate, copy it to a temporary directory.
2. From the Covalent SSL Certificate and Key Management Tool, select the Install CA Signed Certificate option.
3. You will be prompted for the path to the temporary directory that contains the signed server certificate file.
4. Covalent SSL installs the signed server certificate:
   • The signed server certificate is stored in the directory /path/to/ssl1.5/certs. Its name is the same as it was as a temporary server certificate, yourserver.domain.cert (for example, www.covalent.net.cert).
   • The process of signing your server certificate has no effect on your private key. It remains necessary and valid for its corresponding server certificate. It is stored in the directory /path/to/ssl1.5/keys and is named yourserver.domain.key (for example, www.covalent.net.key).

   If you are using a VeriSign, Inc 128-bit Secure Site (Global) ID or an Entrust, Inc server certificate, review the procedures in `Additional Instructions for Intermediate and Chain Certificates'.

5. Verify that the SSLCertificateFile and SSLCertificateKeyFile directives in your httpsd.conf configuration file match the corresponding key and server certificate file names.
6. Run the server with the CA-signed server certificate.

   If your server is running, stop the server by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl stop

   Start the server with Covalent SSL by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl startssl

   During server start-up, you will be prompted to enter the pass phrase for the server certificate.

7. To test your certificate, start a browser and go to https://yourserver.domain/

   The browser should automatically trust the site and should not display a warning.

   Note
   You can select the browser's padlock icon to view server certificate information.

   If the browser displays a warning that the site is not trusted, use the browser to view the server certificate. If the browser is reading the temporary server certificate, review the previous instructions to be sure you installed the CA- signed server certificate, stopped the server, and restarted it with SSL.

   If you have problems starting your server or viewing your CA-signed server certificate, refer to `Troubleshooting'.

8. Back up the CA-signed server certificate and store it with a backup of its corresponding private key.

Renewing a CA-signed Server Certificate

The server certificate contains an expiration date, which is normally one year after signing. Most CAs notify you in advance of the expiration date. As the expiration date approaches, follow the procedures below to renew the server certificate.

1. Review the CA's procedures for certificate renewal.
   • If your certificate or contact information has changed, most CAs require you to generate a new key, temporary server certificate, and CSR.
   • If your certificate and contact information is unchanged, some CAs require only a new CSR based on your existing key and certificate. Other CAs may require you to generate a new key, temporary server certificate, and CSR.
2. Use the Covalent SSL Certificate and Key Management Tool to generate the appropriate files for renewal.
   • If you need to generate a new private key and temporary server certificate, refer to the procedures in `Generating and Testing a Private Key and Server Certificate'.

     CAUTION!
     Be sure that you do not overwrite your unexpired certificate and key files. You need them until you install your new server certificate. Covalent SSL warns you if you attempt to overwrite existing server certificate or key files.

   • To generate the CSR, refer to the procedures in `Generating and Submitting a Certificate Signing Request'.
3. After the CA has signed and returned your certificate, copy the CA-signed server certificate to a temporary directory.
4. To install the CA-signed server certificate, refer to the procedures in `Installing and Testing a CA-signed Server Certificate'.
5. If you created a new key and server certificate, verify that the SSLCertificateFile and SSLCertificateKeyFile directives in the httpsd.conf configuration file match the corresponding key and server certificate file names.
6. Run the server with the renewed certificate as detailed in `Installing and Testing a CA-signed Server Certificate'.
7. Make a backup of your renewed CA-signed server certificate and its corresponding key and store them in a safe place.

Self-Signing a Server Certificate

If you plan to use Covalent SSL only to encrypt communication and do not need a third party to authenticate your site's identity, you can self-sign your server certificate. In this case, browsers will warn users that the signing authority is not recognized. To eliminate the warning, users must add your signature explicitly to the list in their browser, assuming the browser supports that feature.

CAUTION!
It is strongly recommended that you use self-signed server certificates for internal use in your organization only.

When you initially generate a private key and server certificate, the temporary server certificate is self-signed and expires in 30 days. If you plan to use a self-signed server certificate, you can use the Self Sign Certificate option to increase the expiration date or change other information in the temporary certificate.

If you have not generated a key and temporary certificate, follow the procedures described in `Generating and Testing a Private Key and Server Certificate' before you complete the procedures below:

1. From the Covalent SSL Certificate and Key Management Tool, select the Self Sign Certificate option.
2. Select the server certificate you want to sign.
3. Define the number of days you want the server certificate to be valid.
4. Enter the pass phrase you used to encrypt the key that corresponds to this server certificate.
5. You will be prompted to define the information for your CSR. This information is the same data you provided when you created your server certificate. It identifies your organization and consists of the Common Name of your Web server, the Organization Name, the Organization Unit Name, the Locality Name, the State or Province Name, the Country Name (two-letter ISO abbreviation), and the Email Address of your technical contact person.
6. Run the server with the self-signed server certificate.

   If your server is running, stop the server by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl stop

   Start the server with Covalent SSL by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl startssl

   During server start-up, you will be prompted to enter the pass phrase for the server certificate.

Additional Private Key Management Tools

The options Encrypt RSA Key and Decrypt RSA Key in the Covalent SSL Certificate and Key Management Tool allow you to manage the pass phrase associated with a private key. With these options you can eliminate or change the pass phrase.

Eliminating the Pass Phrase at Server Start-up

Your private key is stored encrypted on your hard disk. Each time you start the server you must enter the pass phrase to decrypt the key. This method improves security but can be impractical, especially during automatic restarts of the server.

To eliminate entering the pass phrase at server start-up, you can choose to store the key decrypted through the Decrypt RSA Key option in the Covalent SSL Certificate and Key Management Tool.

CAUTION!
Be aware that while decrypting the key simplifies server start-up, this can decrease security. The key is stored read-only by root, so it is only as secure as your root login on the system.

1. From the Covalent SSL Certificate and Key Management Tool, select the Decrypt RSA Key option.
2. Define the key to decrypt and the pass phrase you used to encrypt the key.

   Note
   If you decide you do not want to store the key decrypted, you can use the Encrypt RSA Key option to re-encrypt the key.

Changing Your Pass Phrase

You can use the Decrypt RSA Key and Encrypt RSA Key options to change the pass phrase for your key:

1. From the Covalent SSL Certificate and Key Management Tool, select the Decrypt RSA Key option.
2. To decrypt the key, complete the steps for decrypting the key as detailed in the previous section, `Eliminating the Pass Phrase at Server Start-up'.
3. Next, select Encrypt RSA Key.
4. Define the key you want to encrypt, then enter the new pass phrase and confirmation.

Additional Instructions for Intermediate and Chain Certificates

Using a VeriSign 128-bit Secure Site (Global) ID

Using a VeriSign 128-bit Secure Site (Global) ID requires an intermediate certificate. The VeriSign support pages at http://www.verisign.com include a link to the contents of the VeriSign intermediate certificate.

After you install a server certificate signed by VeriSign using the Install CA Signed Certificate option in the Covalent SSL Certificate and Key Management Tool, you can create the intermediate certificate.

1. Create a file named intermediate-ca.cert in the /path/to/ssl1.5/pki/certs directory.
2. Copy and paste the entire contents of the intermediate certificate on VeriSign's Web site into the intermediate-ca.cert file.

   Note
   Make sure to include the lines labelled -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and everything in between.

3. Edit your httpsd.conf configuration file to point to the intermediate certificate.

   Within the section defined for the virtual host for this intermediate certificate, edit or add a SSLCACertificateFile directive containing the path to the certificate.

4. Run the server with the intermediate certificate.

   If your server is running, stop the server by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl stop

   Start the server with Covalent SSL by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl startssl

5. Make sure your customers are using the proper browser versions.

   The Secure Site IDs do not work with the older versions of Microsoft and Netscape browsers. For detailed information, see the VeriSign support pages at www.verisign.com/products/site/faq/index.html.

Using an Entrust, Inc Server Certificate

Entrust, Inc server certificates require a chain certificate. Entrust will supply you with a link to the contents of the Entrust chain certificate during the certificate signing process.

After you install the certificate signed by Entrust as detailed in `Installing and Testing a CA-signed Server Certificate', you can create the chain certificate:

1. Locate and open the ca-bundle.cert file located in the /path/to/ssl1.5/pki/certs directory.
2. Copy and paste the entire Entrust chain certificate into the ca-bundle.cert file. The lines can be at the beginning or end of the file, or between existing entries. There is no need to add any other data to match the format of existing entries.

   Note
   Make sure to include the lines labelled -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and everything in between.

3. Edit your httpsd.conf configuration file to point to the Entrust chain certificate.

   Within the section defined for the virtual host for this intermediate certificate, edit or add a SSLCACertificateFile directive containing the path to the certificate.

4. Run the server with the chain certificate.

   If your server is running, stop the server by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl stop

   Start the server with Covalent SSL by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl startssl

   Also see `Obtaining Your Free Certificate Signing From Entrust, Inc'.

Preserving Your Private Key and Authenticated Server Certificates

Before you upgrade your existing Covalent SSL installation, you need to save your CA-signed server certificate, private key, and CA-signed chain certificates (for Entrust and VeriSign certificate users only). After you have completed the upgrade, you need to reinstall these files.

1. Locate your CA-signed server certificate in the existing Covalent SSL installation. This file is named yourserver.domain.cert.

   Copy the certificate to a temporary directory to protect it from deletion.

2. Locate your private keys in the existing Covalent SSL installation. This file is named yourserver.domain.key.

   Copy the private keys to a temporary directory to protect them from deletion.

3. Locate your CA-signed web server chain certificate in the existing Covalent SSL installation. This file is named ca-bundle-chain.cert.

   Copy the certificate to a temporary directory to protect it from deletion.

4. Upon completing your upgrade, copy the saved files from the temporary directory to the correct locations for your new Covalent SSL installation:
   • The CA-signed certificate should be installed in the /path/to/ssl1.5/pki/certs directory.
   • Your private keys should be installed in the /path/to/ssl1.5/pki/key directory.
   • The CA-signed web server chain certificate should be installed in the /path/to/ssl1.5/pki/certs directory.
5. Edit the httpsd.conf configuration file to enable the web server certificates and keys:

   SSLCertificateFile /path/to/ssl1.5/pki/certs/yourserver.com.cert
   SSLCertificateKeyFile /path/to/ssl1.5/pki/keys/yourserver.com.key
   SSLCertificateChainFile /path/to/ssl1.5/pki/certs/ca-bundle-chain.cert 
   

6. Start the new server with Covalent SSL by executing:

   /path/to/apache1.3/bin/covalent-faststart-ctl startssl

7. To test your certificate, start a browser and go to https://yourserver.domain/

   The browser should automatically trust the site and should not display a warning.

   Note
   You can select the browser's padlock icon to view server certificate information.

   If the browser displays a warning that the site is not trusted, use the browser to view the server certificate. If you have problems starting your server or viewing your CA-signed server certificate, refer to `Troubleshooting'.