If you installed your secure server from the RPM package provided by
Red Hat, a random key and a test certificate are generated and put into
the appropriate directories. Before you begin using your secure server,
however, you must generate your own key and obtain a certificate
which correctly identifies your server.
You need a key and a certificate to operate your secure server — which
means that you can either generate a self-signed certificate or purchase a CA-signed
certificate from a CA. What are the differences between the two?
A CA-signed certificate provides two important capabilities for your
Browsers (usually) automatically recognize the certificate and
allow a secure connection to be made, without prompting the user.
When a CA issues a signed certificate, they are guaranteeing the
identity of the organization that is providing the webpages to the
If your secure server is being accessed by the public at large, your
secure server needs a certificate signed by a CA so that people who
visit your website know that the website is owned by the organization
who claims to own it. Before signing a certificate, a CA verifies that
the organization requesting the certificate was actually who they
claimed to be.
Most Web browsers that support SSL have a list of CAs whose certificates
they automatically accept. If a browser encounters a certificate
whose authorizing CA is not in the list, the browser asks the user
to either accept or decline the connection.
You can generate a self-signed certificate for your secure server, but
be aware that a self-signed certificate does not provide the same
functionality as a CA-signed certificate. A self-signed certificate is
not automatically recognized by most Web browsers and does not provide
any guarantee concerning the identity of the organization that is
providing the website. A CA-signed certificate provides both of these
important capabilities for a secure server. If your secure server is to
be used in a production environment, a CA-signed certificate is
The process of getting a certificate from a CA is fairly easy. A quick
overview is as follows:
Create an encryption private and public key pair.
Create a certificate request based on the public key. The
certificate request contains information about your server and the
company hosting it.
Send the certificate request, along with documents proving your
identity, to a CA. Red Hat does not make recommendations on which
certificate authority to choose. Your decision may be based on your
past experiences, on the experiences of your friends or colleagues,
or purely on monetary factors.
Once you have decided upon a CA, you need to follow the
instructions they provide on how to obtain a certificate from them.
When the CA is satisfied that you are indeed who you claim to be, they
provide you with a digital certificate.
Install this certificate on your secure server and begin handling
Whether you are getting a certificate from a CA or generating your own
self-signed certificate, the first step is to generate a key. Refer to
Section 26.6 Generating a Key for instructions.