Guidelines on Securing Public Web Servers


certificate encoded in PEM format.  Similar to the CSR, when supplying a certificate to a 


configuration wizard or even saving it to hard drive, the lines  BEGIN CERTIFICATE  and 


 END CERTIFICATE  are vital.  Without them, the Web server application will be unable to 


interpret the encoded contents of the certificate. 


     BEGIN CERTIFICATE      


AwIBAgIBAzANBgkqhkiG9w0BAQQFADCBzzELMAkGA1UEBhMCQ0ExEDAOBg


FyaW8xETAPBgNVBAcTCFdhdGVybG9vMR8wHQYDVQQKExZVbml2ZXJzaXR5


bG9vMSswKQYDVQQLEyJJbmZvcm1hdGlvbiBTeXN0ZW1zIGFuZCBUZWNobm


YDVQQDExxVVy9JU1QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSYwJAYJKoZI


c3QtY2FAaXN0LnV3YXRlcmxvby5jYTAeFw05ODA4MjcxNjE0NDZaFw05OT


ZaMIHGMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UE


b28xHzAdBgNVBAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xKzApBgNVBA


F0aW9uIFN5c3RlbXMgYW5kIFRlY2hub2xvZ3kxGTAXBgNVBAMTEGlzdC51


Y2ExKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBpc3QudXdhdGVybG9vLm


qGSIb3DQEBAQUAA4GNADCBiQKBgQCw8Sc7X4EeAxBxTPgmTd4Utau0BIqY


n2A7G5MtkMHj0triXoineuRxW9MQSQW8jMAv+xznMaL6OxnG+txyBjYx1z


81kgbypp5Usf18BonsqSe9Sl2P0opCCyclGr+i4agSP5RM5KrycTSVoKHE


MH4wOgYJYIZIAYb4QgEEBC0WK2h0dHA6Ly9pc3QudXdhdGVybG9vLmNhL3


NhLWNybC5wZW0wLQYJYIZIAYb4QgENBCAWHklzc3VpbmcgQ0EgYXNzdW1l


bGl0eTARBglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEEBQADgYEADZ


IMOSbqTQK1LUjn4uHN3BLmqxznIzdiMu4RXyxne5Uq9EA7LbttutH7fIoO


FoU1dtEvovXmA6m5G+SN8A9tIAvRGjNmphB82xGkwEXuLN0afYz5XaFo3Z


hPTgNIyYEiiSp6Qfc= 


     END CERTIFICATE     


Figure 7.3: Sample Encoded SSL/TLS Certificate 


Whatever format the SSL/TLS certificate is delivered in, administrators should take extreme 


caution in securing their certificate and encryption keys.  The following are tips for security of 


the certificate: 


    


Create and store a backup copy of the certificate on read only media in case the 


original certificate is deleted accidentally.  If the certificate is lost and cannot be 


recovered from backup media, a new certificate must be created. 


    


Create and store a backup copy of the encryption keys on read only media in case the 


keys are deleted accidentally. If the keys lost and cannot be recovered from backup 


media, a new key pair and certificate must be created.  Note that the backup copy of 


the keys must be physically secured and should be encrypted as well. 


    


Store the original certificate in a folder or partition accessible by only Web or system 


administrators and secured by appropriate authentication mechanisms. 


    


Consider running data integrity scanner (e.g., Tripwire) on the Web server (see 


Section 8.2.2) and ensure that it is monitoring for any changes to the certificate. 


    


Examine system logs regularly to validate and ensure prevention of unauthorized 


system access. 


If a malicious user gains unauthorized access to a Web server, the integrity of the entire server 


is lost immediately once the encryption key pair is modified. Once a key in an SSL/TLS 


certificate is compromised, it can remain compromised because some CAs do not issue 


60






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Web Hosting SSH



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved