Chapter 25. Apache HTTP Secure Server Configuration256A secure server uses a certificate to identify itself to Web browsers. You can generate your owncertificate (called a "self-signed" certificate), or you can get a certificate from a CA. A certificate from areputable CA guarantees that a website is associated with a particular company or organization.Alternatively, you can create your own self-signed certificate. Note, however, that self-signedcertificates should not be used in most production environments. Self-signed certificates are notautomatically accepted by a user's browser — users are prompted by the browser to accept thecertificate and create the secure connection. Refer to Section 25.5, “Types of Certificates” for moreinformation on the differences between self-signed and CA-signed certificates.Once you have a self-signed certificate or a signed certificate from the CA of your choice, you mustinstall it on your secure server.25.4. Using Pre-Existing Keys and CertificatesIf you already have an existing key and certificate (for example, if you are installing the secure serverto replace another company's secure server product), you can probably use your existing key andcertificate with the secure server. The following two situations provide instances where you are notable to use your existing key and certificate:• If you are changing your IP address or domain name — Certificates are issued for a particular IPaddress and domain name pair. You must get a new certificate if you are changing your IP addressor domain name.• If you have a certificate from VeriSign and you are changing your server software — VeriSign isa widely used CA. If you already have a VeriSign certificate for another purpose, you may havebeen considering using your existing VeriSign certificate with your new secure server. However, youare not be allowed to because VeriSign issues certificates for one specific server software and IPaddress/domain name combination.If you change either of those parameters (for example, if you previously used a different secureserver product), the VeriSign certificate you obtained to use with the previous configuration will notwork with the new configuration. You must obtain a new certificate.If you have an existing key and certificate that you can use, you do not have to generate a new keyand obtain a new certificate. However, you may need to move and rename the files which contain yourkey and certificate.Move your existing key file to:/etc/httpd/conf/ssl.key/server.keyMove your existing certificate file to:/etc/httpd/conf/ssl.crt/server.crtAfter you have moved your key and certificate, skip to Section 25.9, “Testing The Certificate”.If you are upgrading from the Red Hat Secure Web Server, your old key (httpsd.key) and certificate(httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so thatthe secure server can use them. Use the following two commands to move and rename your key andcertificate files:
