Secure Socket Layer

Introduction
The Secure Socket Layer (SSL) is a protocol independent transport layer for sending encrypted information over the Internet. SSL provides encryption preventing eves-droppers from being able to see the information. It also provides authentication to prevent people spoofing their identity. The SSL protocol is an open specification backed by all major vendors including Microsoft and Netscape.

Concepts
The SSL protocol uses public key cryptography. The server has a certificate that includes a public key. At the start of an SSL session, the server sends the browser this certificate. The browser then generates a random number that is used as the session-key. The browser then encrypts this with the server's public key, so only the server can decrypt it with the server's private-key. A session key has now been exchanged that is known only by the browser and the server. This session-key is then used as the key encode data for the rest of the session.

The certificate contains information about the server, and the organisation that runs it. Certificates need to be signed by Certificate Authorities to guarantee that the organisation running the server is who they say they are. In order to get a signed certificate, you must create a Certificate Request and send that to a Certificate Authority along with appropriate documentation to prove your identity.

For test purposes you can create a self-signed certificate. This allows for data to sent encrypted, but the browser will not be able to check that you're not pretending to be someone else.

Creating a Private Key
Before you create a private key, you must first appreciate its value. If anyone was to get hold of your private key, they could decrypt all your encrypted communication. They could also masquerade as you, and take credit-card orders pretending to be you. It is therefore of great importance, that once you generate your key, you keep it secret. For security reasons you should not transmit your private key over a network. For this reason the tools provided to create keys are command line only and have no web interface. A program called cert is provided for this purpose. It lives in the $ZEUSHOME/web/bin directory.

Usage: cert -new -type private -out <private_key_file>
This file will be created with permissions, so that only the user who created the key can read it.

Creating a Certificate Request
For an SSL enabled browser to connect seamlessly to your site you must now have your new private key signed by a Certificate Authority (CA). The CA will require an X509 certificate request in order to return you a signed key. The cert program can be used to create an appropriate request.

Usage : cert -new -type request -key <private_key_file>
	     -out <outfile>
The output file can now be send to a certificate request, who will, for a fee, return you back a signed certificate request. Zeus recommends Thawte Consulting as the best certificate authority to use with your Zeus Server.

Creating a Self-Signed Certificate
For test purposes, you might just want to create a certificate that you sign yourself. This avoids the delays and costs of getting a certificate authority to validate your identity. Self-signed certificates are not supported by all browsers, so they should only really be used for test purposes.

To created a self signed certificate use the following command

Usage : cert -new -type public -key <private_key_file;> 
	     -out <output_file>
This will produce a self signed certificate containing your public key.

Making a Server Secure
In order to make a virtual server secure you need to follow these instructions.