Internet security is a very high-profile subject in today's world. Secure Sockets Layer (SSL) support is an important component in ensuring end-to-end security for your Web transactions. SSL provides a basic mechanism for the encryption of data being transmitted over the Internet. This encryption prevents anyone who might acquire your network data from being able to read it. While the enhanced privacy of SSL may sound wonderful, it comes at a price. Encryption and decryption are expensive operations for a computer. It is wise to only enable SSL on those portions of a Web site that require a high level of privacy. One approach that has been successful is to implement the secure portions of your Web site using a different URL from your main Web site URL. For example, use www.osxit.com for your main Web site and secure.osxit.com for your secure Web site. This will allow you to separate the two portions, even across two separate servers if necessary. Additionally, since SSL is implemented at the sockets layer, it is impossible to implement virtual hosting using SSL. This means that each Web site that will be using SSL must have its own IP address. The implementation of the SSL protocol uses encrypted certificates to share the components of the asymmetric encryption key. Don't worry; you don't have to understand all of the encryption terms to be able to implement SSL for your Web site. Please note that adding SSL to your Web site does not mean that your Web site is now secure. In fact, the only thing that SSL accomplishes is the encryption of the Web site data as it passes back and forth between the server and the browser. Before you can enable SSL for your Web site(s), you must obtain or create a certificate. You can either create your own certificate (discussed in the following section) or purchase one from a third-party vendor, such as Thawte or VeriSign. Generating your own certificates Mac OS X Server has a convenient way to create certificates and Certificate Signing Requests with the Server Admin tool. You will need to have a fully qualified domain name for your Web site handy. Self-signed certificates are not signed by a certificate authority. You might want to use them to save money. Deploying self-signed certificates to many computers represents a challenge for administrators, as your client systems will not trust your self-signed certificate by default. One way around this issue is via the certtool command-line tool, which can be used to allow a certificate to be trusted. Please refer to the certtool manual page for more information. To create a self-signed certificate 1. | Select the name of your server in the Computer & Services list (Figure 9.14). Figure 9.14. Selecting your server in the list within Server Admin. | 2. | Click the Settings tab and then the Certificates tab (Figure 9.15). Figure 9.15. The Certificates tab within Server Admin permits the creation of certificates. The screen shows a default certificate that was created when you set up your server, but you can ignore it. | | | 3. | Click the plus button at the bottom of the window and fill in the various fields with the following caveats (Figure 9.16): - Common Name is the fully qualified name of your site.
- City and state names should be spelled out.
- Passphrases are used mostly when you are sending the private key elsewhere. However, it is not really necessary to have a passphrase for the private key, since Mac OS X Server already keeps it securely in a system keychain.
Figure 9.16. Entering information to create the certificate. | 4. | Click the back arrow when you have finished to see your self-signed certificate is listed in the Certificates tab (Figure 9.17). Figure 9.17. Viewing the default certificate and the newly created certificate. | 5. | When you've finished making changes, click Save. | 6. | Launch Keychain Access and view the System keychain (Figure 9.18). Figure 9.18. The Keychain on the server holds both keys and the certificate for your site. See Chapter 2, "Server Tools," for instructions on launching the various tools described in this book. You will see the public and private keys, and the certificate itself. You can now use the certificate with your Web site. | To enable SSL on a Web site 1. | Launch Server Admin, select Web from the Computers & Services list, click the Settings tab at the bottom of the screen, click the Sites tab, double-click on the site you want to edit, and click the Security tab (Figure 9.19). Figure 9.19. The Security tab for a single Web site. | 2. | Click the Enable Secure Sockets Layer (SSL) check box. A dialog appears, notifying you that your Web site will now be available over port 443 instead or port 80 (Figure 9.20). This means users will have to type in https:// instead of http:// to access your site. The Web performance cache has also automatically been turned off for this particular site. Figure 9.20. Automatic alert indicating the default port has changed for the selected site. | 3. | From the Certificate pop-up menu, choose your newly created certificate (Figure 9.21). Figure 9.21. Selecting the created certificate from the pop-up menu. | 4. | If you want to change the location of the log file, enter it in the SSL log field and click Save. | 5. | In the dialog that appears, click Restart to restart the Web service (Figure 9.22). Figure 9.22. The dialog asks you to restart the Web service. | | | 6. | To test your Web site, type the URL in a browser. You will probably get a message that your browser is unable to verify the certificate (Figure 9.23). This is because the certificate you're using was not signed by a provider that your systems trusts by default. Figure 9.23. Certificate trust warning dialog when entering a site whose certificate cannot be authenticated via a known and trusted certificate authority. Since you created the certificate, you trust ityou just need to tell that to your browser. Depending on the browser you use, the next few steps may not be the same, but you can follow along. | 7. | In the Safari dialog, you would click Show Certificate to see the details of the certificate in the keychain. | 8. | Click the "Always trust these certificates" check box and click Continue (Figure 9.24). Figure 9.24. Viewing a certificate and placing a check mark in the Always trust... check box. | 9. | Enter your administrator password in the standard authentication dialog that appears to add the new certificate to your System keychain. | 10. | Reload the site so that you are not notified of the certificate discrepancy again. | |