1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>How to Encrypt Your Traffic - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>How to Encrypt Your Traffic</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/howto/encrypt.html" title="English"> en </a> |
<a href="../es/howto/encrypt.html" hreflang="es" rel="alternate" title="Espa�ol"> es </a></p>
</div>
<p>This is the how to guide for making your Apache httpd use encryption to transfer
data between you and your visitors. Instead of http: links, your site will use
https: ones and, if everything is setup correctly, people visiting your site will
have their privacy better protected.
</p>
<p>
This How-To is intended for people that are not really into SSL/TLS and ciphers
and all this crypto techno-babble (We are joking, it's a serious field with
serious experts and real problems to solve - but it sounds like techno-babble to
anyone not intimate with it). People who have heard that their http: server is
not really secure enough nowadays. That spies and bad guys are listening. That even
legitimate corporations are inserting data into their web pages and selling
profiles of visitors.
</p>
<p>
This guide wants to help you migrate your httpd server from serving insecure http: links
to encrypted https: ones, without you becoming a SSL expert first. You might get
fascinated by all this crypto things and study it more and become a real expert. But
you also might not, run a reasonably secure web server nevertheless and do other
things good for mankind with your time.
</p>
<p>
You will get a rough idea what roles these mysterious things called "certificate" and
"private key" play and how they are used to let your visitors be sure they are talking
to your server. You will <em>not</em> be told <em>how</em> this works, just how it
is used: it's basically about passports.
</p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#protocol">A short Introduction Certificates, e.g. Internet Passports</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#buycert">Buy a Certificate</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#freecert">Get a Free Certificate</a></li>
</ul><h3>See also</h3><ul class="seealso"><li><a href="../ssl/ssl_howto.html">SSL How-To</a></li><li><a href="../mod/mod_ssl.html">mod_ssl</a></li><li><a href="../mod/mod_md.html">mod_md</a></li><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="protocol" id="protocol">A short Introduction Certificates, e.g. Internet Passports</a> <a title="Permanent link" href="#protocol" class="permalink">¶</a></h2>
<p>
The TLS protocol (formerly known as SSL) is a way a client and a server
can talk to each other without anyone else listening, or better understanding
a thing. It is what your browser uses when you open a https: link.
</p>
<p>
In addition to having a private conversation with a server, your browser also needs
to know that it really talks to the server - and not someone else acting like it. That,
next to the encryption, is the other part of the TLS protocol.
</p>
<p>
In order to do that, your server does not only need the software for TLS, e.g. the
<a href="../mod/mod_http2.html">mod_ssl</a> module, but some sort of identity proof
on the Internet. This is commonly referred to as a <em>certificate</em>. Basically, everyone
has the same mod_ssl and can encrypt, but only your have <em>your</em> certificate
and with that, you are you.
</p>
<p>
A certificate is the digital equivalent of a passport. It contains two things: a stamp
of approval from the people issuing the passport and a reference to your digital
fingerprints, e.g. what is called a <em>private key</em> in encryption terms.
</p>
<p>
When you configure your Apache httpd for https: links, you need to give it the certificate and
the private key. If you never give the key to anyone else, only you will be able to prove
to visitors that the certificate belongs to you. That way, a browser talking to your
server a second time will be sure that it is indeed the very same server it talked
to before.
</p>
<p>
But how does it know that it is the real server, the first time it starts talking to
someone? Here, the digital rubber stamping comes into play. The rubber stamp is done
by someone else, using her own private key. That person has also a certificate, e.g.
her own passport. The browser can make sure that this passport is based on the same
key that was used to rubber stamp your server passport. Now, instead of making sure
that your passport is correct, it must make sure that the passport of the person that
says <em>your</em> passport is correct, is correct.
</p>
<p>
And that passport is also rubber stamped digitally, by someone else with a key and a
certificate. So the browser only needs to make sure that <em>that</em> one is correct
that says it is correct to trust the one that says your server is correct. This trusting
game can go to a few or many levels (usually less than 5).
</p>
<p>
In the end, the browser will encounter a passport that is stamped by its own key. It's
a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust
this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
</p>
<p>
The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your
operating system) comes with list of Gloria passports to trust, pre-installed. If it
sees a Gloria certificate, it is either in this list or not to be trusted.
</p>
<p>
This whole thing works as long as everyone keeps his private keys to himself. Anyone copying
such a key can impersonate the key owner. And if the owner can rubber stamp passports, the
impersonator can also do that. And all the passports stamped by an impersonator,
all those certificates will look 100% valid, indistinguishable from the "real" ones.
</p>
<p>
So, this trust model works, but it has its limits. That is why browser makers are so keen
on having the correct Gloria Gaynor lists and threaten to expel anyone from it that
is careless with her keys.
</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="buycert" id="buycert">Buy a Certificate</a> <a title="Permanent link" href="#buycert" class="permalink">¶</a></h2>
<p>
Well, you can buy one. There are a lot of companies selling Internet Passports as a service. In
<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">this list
from Mozilla</a> you find all companies that the Firefox browser trusts. Pick one, visit their
website and they will tell you what it costs. And how you need to prove that you are who
you claim to be so they can rubber stamp your passport with confidence.
</p>
<p>
They all have their own methods, also depending on what kind of passport you apply for, and
it's probably some sort of click web interface in a browser. They may send you an email that
you need to answer or do something else. In the end, they will show you how to generate
your own, unique private key and issue you a stamped passport matching it.
</p>
<p>
You then place the key in one file, the certificate in another. Put these on your server, make
sure that only a trusted user can read the key file and add it to your httpd configuration.
This is extensively covered in the <a href="../ssl/ssl_howto.html">SSL How-To</a>.
</p>
<p>
</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="freecert" id="freecert">Get a Free Certificate</a> <a title="Permanent link" href="#freecert" class="permalink">¶</a></h2>
<p>
There are also companies that offer certificates for web servers free of charge. The pioneer
in this is <a href="https://letsencrypt.org">Let's Encrypt</a> which is a service of the
<a href="">Internet Security Research Group (ISRG)</a>, a not-for-profit organization to
"reduce financial, technological, and education barriers to secure communication over the
Internet."
</p>
<p>
They not only offer free certificates, they also developed an interface that can be used by
your Apache httpd to get one. This is where <a href="../mod/mod_md.html">mod_md</a>
comes in.
</p>
<p>
(zoom out the camera on how to configure mod_md and virtual host...)
</p>
</div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/howto/encrypt.html" title="English"> en </a> |
<a href="../es/howto/encrypt.html" hreflang="es" rel="alternate" title="Espa�ol"> es </a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/trunk/howto/encrypt.html';
(function(w, d) {
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
d.write('<div id="comments_thread"><\/div>');
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
}
else {
d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
}
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
}
//--><!]]></script>
</body></html>
|