1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="es" xml:lang="es"><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>Como Cifrar su Tr�fico - Servidor HTTP Apache Versi�n 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/">M�dulos</a> | <a href="../mod/quickreference.html">Directivas</a> | <a href="http://wiki.apache.org/httpd/FAQ">Preguntas Frecuentes</a> | <a href="../glossary.html">Glosario</a> | <a href="../sitemap.html">Mapa del sitio web</a></p>
<p class="apache">Versi�n 2.5 del Servidor HTTP Apache</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">Servidor HTTP</a> > <a href="http://httpd.apache.org/docs/">Documentaci�n</a> > <a href="../">Versi�n 2.5</a> > <a href="./">How-To /
Tutoriales</a></div><div id="page-content"><div id="preamble"><h1>Como Cifrar su Tr�fico</h1>
<div class="toplang">
<p><span>Idiomas disponibles: </span><a href="../en/howto/encrypt.html" hreflang="en" rel="alternate" title="English"> en </a> |
<a href="../es/howto/encrypt.html" title="Espa�ol"> es </a></p>
</div>
<p>En esta gu�a se explica c�mo hacer que su servidor HTTPD Apache
use un cifrado para transferir datos entre el servidor y sus visitantes. En vez
de usar enlaces <code>http:</code>, usar� del tipo<code>https:</code>, si todo
est� configurado correctamente, toda persona que visite su web, tendr� m�s
privacidad y protecci�n.</p>
<p> Este manual est� pensado para aquellos que no est�n muy familiarizados con
SSL/TLS y cifrados, junto con toda la jerga t�cnica incomprensible (Estamos
bromeando, este tema es bastante importante, con
serios expertos en el tema, y problemas reales que resolver - pero s�, suena a
jerga t�cnica incomprensible para todos aquellos que no hayan tratado con esto).
Personas que han escuchado que su servidor http: no es del todo seguro a dia de
hoy. Que los esp�as y los malos est�n escuchando. Que incluso las empresas
leg�timas est�n insertando datos en sus p�ginas web y vendiendo perfiles de
visitantes.
</p>
<p>En esta gu�a nos centraremos en ayudarle para migrar su servidor httpd, para
que deje de servir enlaces v�a <code>http:</code> y los sirva v�a
<code>https:</code> ones, without you becoming a SSL expert first. You might
get fascinated by all this crypto things and study it more and become a real
expert. But you also might not, run a reasonably secure web server nevertheless
and do other things good for mankind with your time. </p> <p> You
will get a rough idea what roles these mysterious things called "certificate"
and "private key" play and how they are used to let your visitors be sure
they are talking to your server. You will <em>not</em> be told <em>how</em>
this works, just how it is used: it's basically about passports. </p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#protocol">Peque�a introducci�n a Certificados e.j: Pasaporte de Internet</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#buycert">Comprar un Certificado</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#freecert">Get a Free Certificate</a></li>
</ul><h3>Consulte tambi�n</h3><ul class="seealso"><li><a href="../ssl/ssl_howto.html">SSL How-To</a></li><li><a href="../mod/mod_ssl.html">mod_ssl</a></li><li><a href="../mod/mod_md.html">mod_md</a></li><li><a href="#comments_section">Comentarios</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="protocol" id="protocol">Peque�a introducci�n a Certificados e.j: Pasaporte de Internet</a><a title="Enlace permanente" href="#protocol" class="permalink">¶</a></h2>
<p> The TLS protocol (formerly known as SSL) is a
way a client and a server can talk to each other without anyone else
listening, or better understanding a thing. It is what your browser uses when
you open a https: link. </p> <p> In addition to having a private conversation
with a server, your browser also needs to know that it really talks to the
server - and not someone else acting like it. That, next to the encryption, is
the other part of the TLS protocol. </p> <p> In order to do that, your server
does not only need the software for TLS, e.g. the <a href="../mod/mod_http2.html">mod_ssl</a> module, but some sort of identity
proof on the Internet. This is commonly referred to as a <em>certificate</em>.
Basically, everyone has the same mod_ssl and can encrypt, but only your have
<em>your</em> certificate and with that, you are you. </p> <p> A certificate
is the digital equivalent of a passport. It contains two things: a stamp of
approval from the people issuing the passport and a reference to your digital
fingerprints, e.g. what is called a <em>private key</em> in encryption terms.
</p> <p> When you configure your Apache httpd for https: links, you need to
give it the certificate and the private key. If you never give the key to
anyone else, only you will be able to prove to visitors that the certificate
belongs to you. That way, a browser talking to your server a second time will
be sure that it is indeed the very same server it talked to before. </p> <p>
But how does it know that it is the real server, the first time it starts
talking to someone? Here, the digital rubber stamping comes into play. The
rubber stamp is done by someone else, using her own private key. That person
has also a certificate, e.g. her own passport. The browser can make sure that
this passport is based on the same key that was used to rubber stamp your
server passport. Now, instead of making sure that your passport is correct, it
must make sure that the passport of the person that says <em>your</em>
passport is correct, is correct. </p> <p> And that passport is also rubber
stamped digitally, by someone else with a key and a certificate. So the
browser only needs to make sure that <em>that</em> one is correct that says it
is correct to trust the one that says your server is correct. This trusting
game can go to a few or many levels (usually less than 5). </p> <p> In the
end, the browser will encounter a passport that is stamped by its own key.
It's a Gloria Gaynor certificate that says "I am what I am!". The browser then
either trust this Gloria or not. If not, your server is also not trusted.
Otherwise, it is. Simple. </p> <p> The trust check for the Gloria Gaynors of
the Internet is easy: your browser (or your operating system) comes with list
of Gloria passports to trust, pre-installed. If it sees a Gloria certificate,
it is either in this list or not to be trusted. </p> <p> This whole thing
works as long as everyone keeps his private keys to himself. Anyone copying
such a key can impersonate the key owner. And if the owner can rubber stamp
passports, the impersonator can also do that. And all the passports stamped by
an impersonator, all those certificates will look 100% valid,
indistinguishable from the "real" ones. </p> <p> So, this trust model works,
but it has its limits. That is why browser makers are so keen on having the
correct Gloria Gaynor lists and threaten to expel anyone from it that is
careless with her keys. </p> </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="buycert" id="buycert">Comprar un Certificado</a><a title="Enlace permanente" href="#buycert" class="permalink">¶</a></h2> <p> Bueno, pueds
comprar uno. Hay muchas compa�ias vendiando pasaportes de Internet como
servicio. En <a href="https://ccadb- public.secure.force.com/mozilla/IncludedCACertificateReport">esta lista de
Mozilla,</a> podr�s encontrar todas las compa�ias en las que el navegador
Firefox conf�a. Escoge una, visita su pagina web y te diran los diferentes
precios, y como hacer para comprobar tu identidad y quien dices ser quien
eres, y as� podr�n generar tu pasaporte con confianza. </p> <p>
They all have their own methods, also depending on what kind of passport you
apply for, and it's probably some sort of click web interface in a browser.
They may send you an email that you need to answer or do something else. In
the end, they will show you how to generate your own, unique private key and
issue you a stamped passport matching it. </p> <p> You then place
the key in one file, the certificate in another. Put these on your server, make
sure that only a trusted user can read the key file and add it to your httpd
configuration. This is extensively covered in the <a href="../ssl/ssl_howto.html">SSL How-To</a>. </p> <p> </p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="freecert" id="freecert">Get a Free Certificate</a><a title="Enlace permanente" href="#freecert" class="permalink">¶</a></h2> <p> Hay tambi�n
compa�ias que ofrecen certificados gratuitos para servidores web. La pionera
en esto es <a href="https://letsencrypt.org">Let's Encrypt</a> que es un
servicio de la organizaci�n sin �nimo de lucro <a href="">(ISRG) Internet
Security Research Group </a>, para "reducir las barreras financieras,
tecnol�gicas y de educaci�n, para securizar las comunicaciones en Internet."
</p> <p> No s�lo ofrencen certificados gratuitos, tambi�n han desaarrollado
una interf�z que puede ser usada en su Apache Httpd para obtener uno. Aqu� es
donde <a href="../mod/mod_md.html">mod_md</a> entra en juego. </p> <p> (zoom
out the camera on how to configure mod_md and virtual host...) </p> </div></div>
<div class="bottomlang">
<p><span>Idiomas disponibles: </span><a href="../en/howto/encrypt.html" hreflang="en" rel="alternate" title="English"> en </a> |
<a href="../es/howto/encrypt.html" title="Espa�ol"> es </a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comentarios</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/trunk/howto/encrypt.html';
(function(w, d) {
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
d.write('<div id="comments_thread"><\/div>');
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
}
else {
d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
}
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2018 The Apache Software Foundation.<br />Licencia bajo los t�rminos de la <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">M�dulos</a> | <a href="../mod/quickreference.html">Directivas</a> | <a href="http://wiki.apache.org/httpd/FAQ">Preguntas Frecuentes</a> | <a href="../glossary.html">Glosario</a> | <a href="../sitemap.html">Mapa del sitio web</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
}
//--><!]]></script>
</body></html>
|
