[deployment-guide/comm-rel: 640/727] Updated the Using an Existing Key and Certificate section.

Jaromir Hradilek jhradile at fedoraproject.org
Tue Oct 19 13:19:27 UTC 2010 

commit c72ed7a5b0e96af12cf26fce89363b539d864fa3
Author: Jaromir Hradilek <jhradile at redhat.com>
Date:   Mon Sep 13 16:34:04 2010 +0200

    Updated the Using an Existing Key and Certificate section.

 en-US/The_Apache_HTTP_Server.xml |   50 +++++++++++++------------------------
 1 files changed, 18 insertions(+), 32 deletions(-)
---
diff --git a/en-US/The_Apache_HTTP_Server.xml b/en-US/The_Apache_HTTP_Server.xml
index e981282..c41b9a5 100644
--- a/en-US/The_Apache_HTTP_Server.xml
+++ b/en-US/The_Apache_HTTP_Server.xml
@@ -2957,15 +2957,6 @@ ErrorDocument 404 /404-not_found.html</screen>
       <para>
         This will create the <systemitem class="resource">mod_ssl</systemitem> configuration file at <filename>/etc/httpd/conf.d/ssl.conf</filename>, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
       </para>
-      <!-- TODO: Move the following paragraphs elsewhere.
-      <para>
-        Additionally, you should also install the <package>crypto-utils</package> package that provides a set of utilities to generate and manage <acronym>SSL</acronym> certificates and private keys, including the <command>genkey</command> utility described below:
-      </para>
-      <screen>~]# <command>yum install httpd mod_ssl openssl crypto-utils</command></screen>
-      <para>
-        For more information on how to install new packages in &MAJOROS;, refer to <xref linkend="sec-Installing" />.
-      </para>
-      -->
     </section>
     <section id="s2-secureserver-overview-certs">
       <title>An Overview of Certificates and Security</title>
@@ -3042,45 +3033,40 @@ ErrorDocument 404 /404-not_found.html</screen>
         Once you have a self-signed certificate or a signed certificate from the CA of your choice, you must install it on your secure server.
       </para>
     </section>
-    <section id="s1-secureserver-oldcert">
-      <title>Using Pre-Existing Keys and Certificates</title>
+    <section id="s2-apache-mod_ssl-keypair">
+      <title>Using an Existing Key and Certificate</title>
       <para>
-        If you already have an existing key and certificate (for example, if you are installing the secure server to replace another company's secure server product), you can probably use your existing key and certificate with the secure server. The following two situations provide instances where you are not able to use your existing key and certificate:
+        If you have a previously created key and certificate pair, you can configure the SSL server to use it instead of creating a new one. However, there are two exceptions to this:
       </para>
-      <itemizedlist>
+      <orderedlist>
         <listitem>
           <para>
-            <emphasis>If you are changing your IP address or domain name</emphasis> — Certificates are issued for a particular IP address and domain name pair. You must get a new certificate if you are changing your IP address or domain name.
+            <emphasis>You are changing the IP address or domain name.</emphasis>
+          </para>
+          <para>
+            Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.
           </para>
         </listitem>
         <listitem>
           <para>
-            <emphasis>If you have a certificate from VeriSign and you are changing your server software</emphasis> — VeriSign is a widely used CA. If you already have a VeriSign certificate for another purpose, you may have been considering using your existing VeriSign certificate with your new secure server. However, you are not be allowed to because VeriSign issues certificates for one specific server software and IP address/domain name combination.
+            <emphasis>You have a certificate from VeriSign, and you are changing the server software.</emphasis>
           </para>
           <para>
-            If you change either of those parameters (for example, if you previously used a different secure server product), the VeriSign certificate you obtained to use with the previous configuration will not work with the new configuration. You must obtain a new certificate.
+             VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.
           </para>
         </listitem>
-      </itemizedlist>
-      <para>
-        If you have an existing key and certificate that you can use, you do not have to generate a new key and obtain a new certificate. However, you may need to move and rename the files which contain your key and certificate.
-      </para>
-      <para>
-        Move your existing key file to:
-      </para>
-      <screen><filename>/etc/pki/tls/private/server.key</filename></screen>
-      <para>
-        Move your existing certificate file to:
-      </para>
-      <screen><filename>/etc/pki/tls/certs/server.crt</filename></screen>
+      </orderedlist>
       <para>
-        If you are upgrading from the Red Hat Secure Web Server, your old key (<filename>httpsd.key</filename>) and certificate (<filename>httpsd.crt</filename>) are located in <filename>/etc/httpd/conf/</filename>. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
+        In either of the above cases, you will need to obtain a new certificate.
       </para>
-      <screen><command>mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/server.key mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/server.crt</command></screen>
       <para>
-        Then, start your secure server with the command:
+        To configure the <acronym>SSL</acronym> server to use an existing key and certificate, move the relevant files to <filename>/etc/pki/tls/private/<replaceable>domain_name</replaceable>.key</filename> and <filename>/etc/pki/tls/certs/<replaceable>domain_name</replaceable>.crt</filename> respectively, and restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
       </para>
-      <screen><command>/sbin/service httpd start</command></screen>
+      <example id="example-apache-mod_ssl-keypair">
+        <title>Upgrading from the <application>Red Hat Secure Web Server</application></title>
+        <screen>~]# <command>mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key</command>
+~]# <command>mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt</command></screen>
+      </example>
     </section>
     <section id="s2-secureserver-certs">
       <title>Types of Certificates</title>

More information about the docs-commits mailing list