Guidelines on Securing Public Web Servers


revocation information and many client implementations do not obtain or process revocation 


information.    


For many organizations, a certificate issued by a third party CA is not required.  In those 


instances, the organization may wish to  self sign  their Web server certificate.  Although this 


will not provide users the same verification provided by a third party CA, it avoids the cost of 


purchasing and renewing a certificate.   


A self signed certificate is signed by the web server itself rather than a third party CA.  Three 


limitations of self signed certificates must be considered: 


    


Browsers will not automatically recognize the certificate and allow a secure 


connection to be made, without first prompting the user.  Organizations can configure 


the Web browsers used by their employees to recognize the self signed certificate, but 


the public at large will still get the notification.     


    


When CAs issue a signed certificate, they are guaranteeing the identity of the 


organization and the Web server that is providing the Web pages to the browser.  With 


a self signed certificate, the web server is  guaranteeing  its own identity.  Thus, use 


of a third party CA will often be required for sensitive transactions with the public at 


large, such as e commerce and e government applications. 


    


The security services provided using this certificate depend entirely upon the security 


of the mechanism used for distribution.  Where organizations install the certificate as 


part of browser configuration, acceptable levels of security may be achieved.  Public 


users accepting the certificate upon access to the site are provided little real security. 


Although the sequence of steps is not identical for all Web servers, the implementation of a 


self signed certificate for a Web server includes at least two steps:  


    


Generating a public and private key pair 


    


Creating a self signed certificate.   


Once a certificate has been collected from the CA or self generated it will be necessary to 


enable and configure SSL.  Some steps are common to all Web servers: 


    


Turn off SSL 2.0 


    


Configure SSL/TLS to restrict cryptographic algorithms to the selected cipher suite(s) 


(see Section 7.5.4). 


    


Indicate location of SSL/TLS certificate/instruct server to start using SSL/TLS.  In 


certain cases, the Web server must be instructed to begin using SSL/TLS, and even to 


the exact location of the SSL/TLS certificate and private keys if they were stored as 


files on the hard drive. 


    


Instruct server to listen to TCP port 443.  This is the default TCP port from which 


SSL/TLS resources are accessed by clients (other ports can be used).  In most cases, if 


the server was not previously using SSL/TLS, this port would be disabled for security 


61






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Web Hosting SSH



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved