Simson was running the BSDI operating system on an old 486 PC with 24MB of RAM. The file that he downloaded was called apachessl_us-1.0.5+1.0+1.1.1-i3.tgz. The .tgz extension means that the file is a tar archive that was then compressed with gzip.

The Apache-SSL server must be installed as superuser on your computer. The installation process is straightforward and completely handled by the INSTALL.sh shell script. This script copies the Apache-SSL source, binaries, and various support files from the directory in which it was unpacked to the directories that you specify.

The default configuration uses the directories described in Table 2.1. We suggest that you use them as well.

The INSTALL.sh script then steps you through the process of creating the necessary cryptographic keys to enable the secure server.

At this point, the Apache-SSL server has been installed in the directories that you specified. The installation script will now guide you through the process of creating two certificates, the first of which will be sent to VeriSign (or another CA) for their signature; the second will be for your immediate use. Alternatively, the installation script will convert an existing Netscape key and certificate pair.

Now you need to install a key/cert pair.
A) Convert an existing Netscape Commerce key/cert pair
B) Generate a new key/cert pair
Choose [A/B] B
The key will be called httpd.key. The certificate will be called httpd.cert
They will be stored in /usr/local/ssl

********* READ ME *************
You are now generating a new key and key request. The key request will be
sent to the CA of your choice and the keyfile will reside
/usr/local/ssl/private/httpd.key.

If you have already sent off a key request for this server before, make
sure you aren't overwriting your old key which is awaiting a corresponding
certificate from your CA.

If the key generation fails, move the file
/usr/local/ssl/private/httpd.key to a backup location and try again.
********* READ ME *************
Choose the size of your key. The smaller the key you choose the faster 
your server response will be, but you'll have less security. Keys of less 
than 512 bits are trivially cracked, while for high security applications 
you probably don't want a key of less than 1024 bits. Choosing an 
appropriate keysize is your responsibility.

How many bits of key (384 minimum, 1024 maximum): 1024
Now we will generate some random data, using the truerand library
developed by Matt Blaze, Jim Reeds, and Jack Lacy at AT&T.
This may take some time.
Generating 2048 bits of randomness ..............................................
..................
Now we generate more random data, from keystrokes

We need to generate 2048 random bits.  This is done by measuring the
time intervals between your keystrokes.  Please enter some random text
on your keyboard until you hear the beep:
   2048Now you should type random text. It doesn't matter how much random text that you type. You should simply be careful not to hold down the repeat key. A very good way to generate random text is to have your cat walk across thekeyboard. buy more O'Reilly books.0 * -Enough, thank you.
Finally, choose some files with random bits, to complete our random
number seed generation. You might want to put in logfiles, utmp, wtmp,
etc.
Enter colon-separated list of files: /var/log/maillog:/var/log/messages
Now we are generating the key. This may also take some time. Be patient.
The passphrase you enter here is very important. Do not lose it.
unable to load 'random state'
1162802 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
1162802 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..............................................+++++
................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:mysuperpassword
Verifying password Enter PEM pass phrase:mysuperpassword
Key generated
Would you like to send a Certificate Request to a CA? [Y/n] y
NOTE: There is a bug in the software VeriSign uses to run their Certificate
Authority. In order to work around this bug, our software creates
CSR in a different form if you are going to use a Certificate Authority
with a bug such as the one used by VeriSign. Please answer the following
question about whether or not your CA is affected by this bug.
(VeriSign is affected by this bug.)
Does your CA need the ASN1-Kludge? [Y/n] Y
Working around CA bug.
Now we will generate a certificate request. After that we will
create a temporary certificate for testing until you receive
the certificate from your CA. Enter the following information:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:Massachusetts
Locality Name (city, town, etc.) [Springfield]:Vineyard Haven
Organization Name (company) [Random Corporation]:Vineyard.NET, Inc.
Organizational Unit Name (division) [Secure Services Division]:.
Common Name (webserver FQDN) [www.random.com]:www.vineyard.net
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, SP=Massachusetts, L=Vineyard Haven, O=Vineyard.NET,
        Inc.,  CN=www.vineyard.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            Public Key: (1024 bit)
                Modulus:
                    00:f5:85:28:b5:20:61:4c:dd:c5:e1:2d:be:4d:a8:
                    4f:ec:5f:7c:fc:cf:82:a7:48:4c:3d:ac:57:e3:bb:
                    19:5d:d8:3a:7e:1a:fa:d6:26:d5:69:12:a0:b3:d1:
                    36:ed:b0:83:d6:38:7b:71:ca:af:6d:37:55:87:d3:
                    2b:7f:cf:45:3b:b0:80:69:d2:47:e3:d0:7f:1f:6f:
                    21:bd:62:e1:a9:06:21:22:73:b9:da:20:93:97:cd:
                    00:c0:66:98:26:aa:dd:20:8a:e4:0c:48:35:55:de:
                    43:12:47:5c:35:e0:6f:8f:cf:25:3e:99:d0:53:b7:
                    cd:57:d1:b0:90:56:3f:4a:53
                Exponent: 65537 (0x10001)
        Attributes:
    Signature Algorithm: md5withRSAEncryption
        c5:c4:a0:5b:37:fd:79:d0:81:88:05:54:37:db:c1:15:59:e5:
        33:d6:c0:fe:99:00:73:a1:5b:f2:cb:4a:4d:b9:29:fd:53:7c:
        b4:42:11:b9:25:6b:32:75:82:cb:c1:cd:62:3f:04:65:54:1f:
        1d:42:e9:7b:f0:15:a3:2c:dc:7a:c7:8e:23:3b:74:ef:4f:ef:
        2d:ee:56:b9:0e:f7:fc:32:60:f3:e8:08:d0:00:c3:6d:6d:c7:
        d7:39:a2:6c:2f:cd:c8:66:7c:9d:8e:1f:87:5a:56:60:e7:f3:
        e1:6f:fd:14:d7:f4:3b:b8:c6:cf:d7:e2:bf:40:7b:3d:d6:a3:
        86:50
Webmaster email: [email protected]
Webmaster phone: 508-696-6688
Send certification request to [[email protected]]: 
Your certificate request was sent to your apachessl-us-request-
[email protected].   Make sure you send
them the appropriate paperwork and money, unless this is a renewal. See
http://www.verisign.com/apachessl-us/index.html for more information about
the Verisign CA process.
Now we will create a self-signed certificate for use until the CA of your
choice signs your certificate. You will have to use this cert until
your CA responds with the actual signed certificate.

You are about to be asked to enter information that will be incorperated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:Massachusetts
Locality Name (city, town, etc.) [Springfield]:Vineyard Haven
Organization Name (company) [Random Corporation]:Vineyard.NET, Inc.
Organizational Unit Name (division) [Secure Services Division]:.
Common Name (webserver FQDN) [www.random.com]:www.vineyard.net
--COMPLETE--
Your key has been generated and a test certificate has been installed
--COMPLETE--
vineyard#

Your encrypting server is now installed, a public/secret key pair has been created, and your server has been equipped with a “self-signed” test certificate.

The test certificate will allow you to begin immediately using your server’s cryptographic features. However, because the certificate is not signed by a recognized certification authority, when users click into your web site they should be informed by their browser that the server has not been properly authenticated.

To complete the installation of your server, you need to install a public key certificate signed by a recognized CA. The following section describes how to install a public key signed by VeriSign.

As part of the installation procedure of Apache-SSL , a copy of your public key is sent off to a certification authority. The default authority is VeriSign, a company that was formed in 1995 by RSA Data Security Systems and other partners. (For more information about CAs, see Chapter 7)

The email address for VeriSign is specified in the installation procedure:

Send certification request to [[email protected]]: 
Your certificate request was sent to your apachessl-us-request-
[email protected].   Make sure you send them the appropriate paperwork 
and money, unless this is a renewal. See http://www.verisign.com/
apachessl-us/index.html for more information about the Verisign CA 
process.

Shortly after you complete the installation process, you should get a response from VeriSign’s computers indicating that your public key has been received:

You have new mail.
% mail
Mail version 8.1 6/6/93.  Type ? for help.
"/var/mail/simsong": 1 message 1 unread
>N 1 owner-apachessl-us-r  Tue May 28 19:39  90/4235 
& p1
Message 1:
From [email protected] Tue May 28 19:39:46 1996
From: [email protected]
Date: Tue, 28 May 1996 16:38:31 -0700 (PDT)
To: "Simson L. Garfinkel" <[email protected]>

Unique ID Number: 14996062

The above number identifies your certificate request. Please refer to 
this number in any correspondence with VeriSign regarding this 
certificate.

Thank you for submitting your Digital ID server request.  If you 
haven't already, please go to our Digital ID Center at:

        http://digitalid.verisign.com/

You will be asked to complete an online enrollment form with 
information required to authenticate your server. The information you 
supply will be used to generate an electronic Authorization Letter. 
Once you execute the letter, it will be automatically emailed to 
VeriSign. This letter designates you as an authorized representative 
of your organization, responsible for requesting and utilizing a 
Digital ID.

Just as in applying for a business license or trademark, your 
Digital ID cannot be issued until your subscriber information is complete and 
independently verified.  Imagine the potential damage to your business 
or reputation if someone could masquerade as your company or 
organization on the net.  We will verify your information with 3rd-
party data sources and perform additional due-diligence as 
appropriate. If the information you supplied is complete and can be
verified, we will typically issue your Digital ID within 3-5 business 
days.

VeriSign assigns a Request Tracking Number to each Digital ID server 
request when received.  The number listed below identifies your 
Digital ID server request. Please refer to this number in any 
correspondence with VeriSign regarding this certificate.

       Request Tracking Number: __________________

By affixing VeriSign's digital signature to your Digital ID, VeriSign 
is attesting that we, as an independent third party, followed certain 
procedures to verify that your company or organization has the legal 
right to use the organization name and common name (typically your 
domain name) embedded in the certificate. This level of assurance 
gives your customers and business partners confidence that you are who 
you say you are. 

We will process your request as quickly as possible. Our customer 
service team will be in contact with you (via email and or phone) 
until we have issued your Digital ID. We will also notify you in 
advance of pending renewal issues before your Digital ID expires.

If you have additional questions, please refer to our Digital ID 
Center at http://digitalid.verisign.com/.

Thank you in advance for your patronage.


 ----------- Your original message is below ----------

Webmaster: [email protected]
Phone: 508-696-6688
Server: Apache-SSL-US

Common-name: www.vineyard.net
Organization Unit: 
Organization: Vineyard.NET
Locality: Vineyard Haven
State: Massachusetts
Country: US

-----BEGIN CERTIFICATE REQUEST-----
MIIBtDCCAR0CAQAwdjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0
dHMxFzAVBgNVBAcTDlZpbmV5YXJkIEhhdmVuMRswGQYDVQQKExJWaW5leWFyZC5O
RVQsIEluYy4xGTAXBgNVBAMTEHd3dy52aW5leWFyZC5uZXQwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAPWFKLUgYUzdxeEtvk2oT+xffPzPgqdITD2sV+O7GV3Y
On4a+tYm1WkSoLPRNu2wg9Y4e3HKr203+YfTK3/PRTuwgGnSR+PQfx9vIb1i4akG
ISJzudogk5fNAMBmmCaq3SCK5BxINVXeQxJHXDXgb4/PJT6Z0FO3zVfRsJBWP0pT
AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAxcSgWzf9edCBiAVUN9vBFVnlM9bA/pkA
c6Fb8stKTbkp/VN8tEIRuSVrMnWCy8HNYj8EFVQfHULpe/AVoyzceseOIzt070/v
Le5WuQ73/DJg8+gI0ADDbW3H1zmibC/NyGZ8nY4fh1pWYOfz4W/9FNf0O7jGz9fi
v0B7PdajhlA=
-----END CERTIFICATE REQUEST-----
& q
Held 1 message in /var/mail/simsong
%

Now you have nothing to do but wait.^[118] VeriSign will validate the information provided in your certificate request. This process can take a week or more.

Eventually, you should get a message back from VeriSign:

X-Sender: certs@dustin
Mime-Version: 1.0
X-Priority: 1 (Highest)
Date: Wed, 05 Jun 1996 01:26:24 -0700
To: [email protected]
From: Certificate Services <[email protected]>
Subject: Digital ID approval
X-Attachments: S:LETTERSNewlegal.txt;

Dear Valued VeriSign Customer,

Server/Common Name:  www.vineyard.net      

Following is your official Digital ID (Certificate) which will certify 
your identity and your public key in electronic transactions.  It has 
been digitally signed by VeriSign guaranteeing that your Digital ID 
hasn't been corrupted or otherwise modified since it was signed and 
that it will be trusted by others conducting electronic commerce.

Prior to your one year expiring we will notify you of the renewal 
procedures.

Please refer to your server manual for proper instructions on 
installing your Digital ID (Certificate).

-----BEGIN CERTIFICATE-----
MIICRDCCAbECBQJ6AAd3MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjA2MDUwMDAwMDBa
Fw05NzA2MDUyMzU5NTlaMHYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNo
dXNldHRzMRcwFQYDVQQHEw5WaW5leWFyZCBIYXZlbjEbMBkGA1UEChMSVmluZXlh
cmQuTkVULCBJbmMuMRkwFwYDVQQDExB3d3cudmluZXlhcmQubmV0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQD1hSi1IGFM3cXhLb5NqE/sX3z8z4KnSEw9rFfj
uxld2Dp+GvrWJtVpEqCz0TbtsIPWOHtxyq9tN/mH0yt/z0U7sIBp0kfj0H8fbyG9
YuGpBiEic7naIJOXzQDAZpgmqt0giuQMSDVV3kMSR1w14G+PzyU+mdBTt81X0bCQ
Vj9KUwIDAQABMA0GCSqGSIb3DQEBAgUAA36ABH64fDO4lx8I+9ZNamaZDuUo5GlO
pr6AJtUIjcREymHjUeyvP0nAP79rt6tI5ywGHWIqDXq8gfL3XvW48rVbjaAajzZO
xcO9t2Xe19JY/eKLCPT6hf4SMtNtIFl2FCSeU8slgzu+H7tLq8xmstb8h+koRHbv
OYPz6BGqZbk=
-----END CERTIFICATE-----

Providing Driver Licenses for the Information Superhighway[(TM)]

VeriSign 

COMMERCE SERVER LEGAL AGREEMENT

-----------------------------------------------------------------------

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL ID
ISSUED TO YOUR ORGANIZATION. BY USING THE DIGITAL ID, YOU ARE 
AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE
TERMS OF THIS AGREEMENT, PROMPTLY RETURN THE UNUSED DIGITAL ID TO 
VERISIGN AND YOUR MONEY WILL BE REFUNDED.

(The rest of the message contains a long legal agreement that we won’t reprint here.)

Save this message in a file on your computer. In the middle of this message, between the lines "——-BEGIN CERTIFICATE——-" and "——-END CERTIFICATE——-" is your server certificate. To install this certificate on your web server, follow these steps:

The private key for the Apache-SSL server needs to be stored on the hard disk. Otherwise, it can’t decrypt the incoming data over a SSL connection. Unfortunately, this creates a potential vulnerability: if someone were to steal your computer, he would have access to your organization’s secret key.

To solve this problem, Apache-SSL can store your organization’s private key in one of two ways:

For most web sites, there is no reason not to store the web server’s private key unencrypted. That’s because while an unencrypted key stored on a computer’s hard disk is only protected by the computer’s operating system, the same is true of the web server itself. An attacker who can compromise your computer’s security and steal your key can just as easily steal your encrypted key and then booby-trap your web server so that when the decryption password is typed, the password is automatically sent over the net to some other location. Furthermore, storing the private key encrypted makes the web server considerably more difficult to operate. Everybody who reloads the server or reboots the computer needs to know the decryption password.

In practice, the minor security improvement that comes from storing passwords encrypted is not worth the increased difficulty of operations.

Apache-SSL comes with three shell scripts for controlling the operation of the httpd and httpsd servers:

You should run the reload command after you make any changes to the Apache configuration files.

Many sites set up their computers so that their web servers are run automatically when the system reboots. If you wish your cryptographically enabled web server to immediately begin accepting transactions, you will need to store the server’s secret key decrypted, or store the decryption password on the hard drive so that it is automatically entered, or have some sort of physical device connected to your computer that contains the decrypted key or the decryption password.