Securing Your Apache Server for Business with VeriSign Secure Server IDs

A VeriSign Secure Server ID is a digital certificate that gets installed on a Web server to protect the communications between that server and any web site visitors. Once installed and activated, the Secure Server ID is used to authenticate its owner's Web site, encrypt communication sessions, and guarantee the integrity of transmitted data.

Recently, VeriSign, the Apache Server Project, and SSLeay have collaborated to allow anyone running an Apache server to secure their site with the strongest encryption available. VeriSign Secure Server IDs and the SSLeay toolkit make it possible to implement SSL on any Apache server.

With SSL capabilities, your site will be protected against spoofing, data corruption, and eavesdropping. Your end users will know that they are working with a trustworthy partner and that any confidential information they submit (including credit card information) is safe in transit.

In other words, adding a VeriSign Secure Server ID to your Apache Web server is key to building your online business by allowing you to conduct secure transactions on your site.

This guide gives detailed, step-by-step instructions on the process for securing your Apache Server with a VeriSign Secure Server ID to enable SSL.


 
Setting Up Your Server for SSLeay

There are several ways to obtain the software to secure your Apache server.

  1. Download a freeware package that includes all the necessary components. Some software developers have combined Apache and SSLeay with the patches to make them function properly together. This work is distributed to the public as free source code and one such package can be found at http://www.apache.org/.

  2. Download Apache server software from http://www.apache.org/ and the SSLeay toolkit from http://www.ssleay.org/, both of which are distributed as free source code. Then write the code to patch the two programs together yourself.

  3. Purchase an Apache-ready SSL module which leads to an easy addition of security to your Apache server. A leading example of this type of SSL module is Raven from Covalent Technologies. Visit raven.covalent.net to learn more and for a free 30-day evaluation.
  4. Purchase a software package that includes all the necessary components. The leading example of Apache-based commercial software is StrongHold from C2Net. The Stronghold server package is sold as object code and backed by product guarantees.

VeriSign Secure Server IDs are designed to work with any Apache server that is running an SSLeay toolkit. Please be aware, however, that if you download the freeware version and change the coding, VeriSign cannot provide the support and guarantee that normally come with our server certificate products.


 
Getting Your Secure Server ID from VeriSign

The online enrollment process for a Secure Server ID is very straighforward and can be accomplished in about 15 minutes. Once you have completed enrollment, your ID will be sent to you via e-mail in 1 to 3 business days.

Step 1: Confirm Domain Name
VeriSign can only issue a Secure Server ID to the registered owner of a domain name. In order for your application to be processed, you will need to enter the exact domain name of your Web site and the exact name of your site's registered owner.

VeriSign´s enrollment pages provide links to the local NICs that register domain names. Using these links, find your local NIC and use its "whois& service to verify ownership of your domain name.

Step 2: Obtain Proof of Right
Before issuing your Secure Server ID, VeriSign must confirm that your organization is legitimate and is registered with the proper government authorities.

To avoid paperwork and speed processing time, you should submit your Dun & Bradstreet DUNS numbers. Your DUNS number will provide sufficient proof of your right to operate and use your company name. If you do business in the United States and you do not know your DUNS number, you can go to the Dun & Bradstreet site to search for it. You can also apply for a DUNS number at this site, if you do not have one.

If you do not conduct business in the United States, please contact your local Dun & Bradstreet representative to obtain your DUNS number. You can find a local representative through the Dun & Bradstreet Web site. Please note that international DUNS numbers must be in the Dun & Bradstreet database for at least two months before VeriSign can verify the information.

If you do not wish to use a DUNS number, you can fax or mail us any of the following documents when you complete on-line enrollment:

  • Articles of Incorporation
  • Partnership Papers
  • Business License
  • Fictitious Business License
  • Federal Tax ID Confirmation

All documentation must be submitted in English. Please send only approved documents, not applications. Make sure to reference your server/domain name on all correspondances. Send these to:

Digital ID Center
VeriSign, Inc.
1350 Charleston Road
Mountain View, CA 94043
United States of America
Fax: (650) 961-8870

Step 3: Generate Private Key and Certificate Signing Request
You now need to instruct your SSLeay toolkit to generate a private key and a certificate signing request.

The following instructions assume that your SSLeay executable is installed in /usr/local/ssl/bin. If this is not the path you created, then you need to use /usr/local/ssl/bin/ssleay rather than just ssleay in the following examples.

  1. Create random state
    You need to generate some random information for input into the key generation process. You can delete or alter the rand.dat file at any time as the exact contents of it are not important. Use one of the following commands:

    head -25 * > rand.dat

    or

    ssleay md5 * > rand.dat

    or

    cat file1 file2 file3 > rand.dat

  2. Generate a private key protected with a passphrase
    Enter the following command:

    ssleay genrsa -rand rand.dat -des 1024 > key.pem

    or, if you want to use triple DES:

    ssleay genrsa -rand rand.dat -des3 1024 > key.pem

    Note: Do not forget your passphrase or your key will be unable to be used.

  3. Make a back-up copy of your private key
    Save it on a floppy drive and store the disk in a secure location, such as a safe deposit box. Your private key is never sent to VeriSign, so if it is lost or corrupted, you will need your backup copy in order to keep using your certificate.

  4. Generate a CSR
    A certificate signing request (CSR) is what you send to VeriSign to sign and return in the form of a certificate which can used in combination with the private key you have generated. Enter the following command:

    ssleay req -new -key key.pem -out csr.pem

    where key.pem is the name of the key which you generated in step 2, and csr.pem is the name of the output CSR file.

    You will be prompted for the following information:

    • Your country code. Enter the two letter ISO abbreviation for your country (e.g. au for Australia, gb for the United Kingdom, mx for Mexico).
    • The full name of your state or province. Please spell out in full (e.g. use New South Wales instead of NSW).
    • The name of your city, town, or other locality.
    • The name of your organization. This should be the organization that owns the domain name (step 1 of the VeriSign enrollment process) and for which you have Proof of Right (Step 2 of the VeriSign Enrollment process).
    • The name of your unit within your organization (e.g. Marketing, Sales, MIS).
    • Your common name. Enter the fully qualified domain name of your site (e.g. www.bookstore.com). This must match the https URL that you are planning to use. It must also end in a domain name that your organization owns.

    If you are prompted for "extra attributes," simply ignore.

Step 4: Submit CSR
The contents of csr.pem should look something like the following:

-----BEGIN CERTIFICATE REQUEST-----
MIIBETCBvAIBADBXMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh
MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYJKoZIhvcNAQkB
FgFgMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6nPTy3avNgbubx+ESmD4LV1LQG
fcSh8nehEOIxGwmCPlrhTP87PaA0XvGpvRQUjCGStrlQsd8lcYVVkOaytNUCAwEA
AaAAMA0GCSqGSIb3DQEBBAUAA0EAXcMsa8eXgbG2ZhVyFkRVrI4vT8haN39/QJc9
BrRh2nOTKgfMcT9h+1Xx0wNRQ9/SIGV1y3+3abNiJmJBWnJ8Bg==
-----END CERTIFICATE REQUEST-----

Copy the entire contents of this CSR (including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines) and paste them into the enrollment form.

Step 5: Complete Application
Fill out the application form with information about your organization and its contact people.

Step 6: Authentication Takes Only 1-3 Days
VeriSign employees will now examine the information that you have submitted. If everything is accurate, you should receive your Secure Server by e-mail in a few days.

Your technical and organizational contacts will receive an e-mail confirming your order within a few hours of accepting the Secure Server Service Agreement and submitting your application. In the confirmation e-mail, you will receive a Personal Identification Number (PIN) and a URL where you can use that PIN to check on the processing status of your ID application.

Step 7: Install Your ID
When your Digital ID is approved, we will send it to your technical and organizational contacts by e-mail. Your Server ID will look something like the following:

-----BEGIN CERTIFICATE-----
JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM
mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ
QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc
mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw
NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER
hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG
lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI
DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA
q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim
vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj
KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W
QapgLPV90kIskNKXX3a
------END CERTIFICATE-----

  1. Copy the certificate
    Copy all of the characters, including the BEGIN CERTIFICATE and END CERTIFICATE lines, into a text editor such as Notepad (do not use Word or another word processing program). Make sure that the certificate appears as formatted above. In other words, make sure that the BEGIN CERTIFICATE and END CERTIFICATE lines are by themselves.

  2. Temporary Save
    Save the Secure Server ID PRIVACY-ENHANCED message to a temporary file, such as /tmp/cert.tmp.

  3. Run getca
    Specify both the name of the server that owns the ID and the name of the temporary certificate file. For example:

    # getca hostname < /tmp/cert.tmp

    Note: In some versions of SSLEAY, you should use the command getversign instead of getca.
    Your Secure Server ID should now be saved as the file SSLTOP/certs/hostname.cert

  4. Remove the temporary file
    For example:

    # rm/tmp/cert.tmp

  5. Restart the server

Congratulations! Your secure Apache server is now ready to go.


 
Next Steps

Now that you've learned about the benefits of securing your Apache Web server with Secure Server IDs from VeriSign, we would like to invite you to obtain a free Test Secure Server ID to experiment with Secure Sockets Layer (SSL) encryption and the other security features on your server. After installing the SSLeay toolkit on your Apache server, please visit https://digitalid.verisign.com/server/trial/index.html for your Free 14-day Trial Server ID.

If you are ready to obtain a fully functional one-year Server ID to encrypt your server communications, please visit http://digitalid.verisign.com/server/ to enroll today!