This appendix describes how to install a web server, create a public/private key pair, and obtain a certificate for your web server. The process is described here in detail to give you a feel for how the mechanics of the process work. However, as it is likely that you will be performing this process with different software from that described here, you should refer to your own documentation before beginning the procedure.
To set up a cryptographically enabled web server, you must complete these steps:
Obtain a web server (either by downloading it over the Internet or by purchasing media or a computer containing the web server).
Install it.
Create a secret/public key pair for your web server.
Optionally create your own self-signed certificate so you can get your secure web server running immediately.
Send the public key to a certification authority (CA).
Send other, supporting documents to the certification authority.
Receive your signed X.509 v3 public certificate from the certification authority.
Install the certificate on your web server.
This appendix shows the process, using the Stronghold web server as a sample web server and VeriSign as a sample CA.
On March 4th, 1996, Simson received the following electronic mail message:
Date: Mon, 4 Mar 1996 15:40:52 -0800 (PST) To: [email protected] From: ApacheSSL Sales <[email protected]> Subject: Do you need to provide your customers with SSL? Status: RO Please forward this note to the person in charge of your web services. Are you in need of an SSL Webserver solution? Do you use Apache for your webserver and only wish that you could use the same basic configuration as your Apache server, except with SSL? Don't want to spend the three thousand dollars on a Netscape Server? Community ConneXion, Inc., may have your answer. We've put together a commercial Apache-SSL package, for use within the United States and Canada only. It offers full-strength export-restricted munitions grade fortress cryptography for your web services. Apache-SSL-US seamlessly supports virtual hosts, and multiple certificates for multiple virtual hosts. Only $495.00. See http://apachessl.c2.org/ for more details. Thank you for your time.
In the trade, this is known as a spam. Sameer Parekh, president of Community ConneXion, Inc., had sent a blatant advertisement for his new product to the contact email address for every Internet service provider listed at THELIST.COM advertising a new product. Normally, such crass advertisements are as welcome as junk mail. But there is the rare thing about target marketing: when the target is looking to purchase what the marketer is selling, the sales message can be quite welcome.[116]
The Apache web server was written by a group of programmers called The Apache Group. The SSL package was integrated into the Apache server by Ben Laurie. Parekh had taken the Apache-SSL server and done two things: first, he had written a few scripts that made the installation of the package simpler. But more importantly, he had obtained the necessary licenses so that the public key patents could be legitimately used within the United States.
This chapter details how to obtain and install Apache-SSL, including the creation of your digital ID (see Chapter 6 and Chapter 7 for information about digital IDs and VeriSign) and the signing of that ID by VeriSign.
[116] Different people react to spam in different ways. For instance, Spaf keeps a list of companies sending him unsolicited advertisements, and resolves to never do business with those firms. Other people have been known to mail bomb and attack sites sending spam. Unfortunately, this sort of retaliation may itself be a criminal act—and you may direct your anger toward the wrong party. In general we recommend against any type of spam or retaliation against spammers.