[deployment-guide/comm-rel: 645/727] Changed the order of sections a little.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 13:19:53 UTC 2010
commit cc937cf80227d57feedc93fbc98158914ffaf0d5
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Mon Sep 13 17:54:48 2010 +0200
Changed the order of sections a little.
en-US/The_Apache_HTTP_Server.xml | 110 +++++++++++++++++++-------------------
1 files changed, 55 insertions(+), 55 deletions(-)
---
diff --git a/en-US/The_Apache_HTTP_Server.xml b/en-US/The_Apache_HTTP_Server.xml
index 63e88f6..d6d924a 100644
--- a/en-US/The_Apache_HTTP_Server.xml
+++ b/en-US/The_Apache_HTTP_Server.xml
@@ -2948,16 +2948,6 @@ ErrorDocument 404 /404-not_found.html</screen>
<para>
Unlike a regular HTTP connection that can be read and possibly modified by anybody who is able to intercept it, the use of <systemitem class="resource">mod_ssl</systemitem> prevents any inspection or modification of the transmitted content. This section provides basic information on how to enable this module in the Apache HTTP Server configuration, and guides you through the process of generating private keys and self-signed certificates.
</para>
- <section id="s2-apache-mod_ssl-enabling">
- <title>Enabling the <systemitem class="resource">mod_ssl</systemitem> Module</title>
- <para>
- If you intend to set up an SSL server, make sure you have the <package>mod_ssl</package> (the <systemitem class="resource">mod_ssl</systemitem> module) and <package>openssl</package> (the OpenSSL toolkit) packages installed. To do so, type the following at a shell prompt:
- </para>
- <screen>~]# <command>yum install mod_ssl openssl</command></screen>
- <para>
- This will create the <systemitem class="resource">mod_ssl</systemitem> configuration file at <filename>/etc/httpd/conf.d/ssl.conf</filename>, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
- </para>
- </section>
<section id="s2-secureserver-overview-certs">
<title>An Overview of Certificates and Security</title>
<para>Secure communication depends upon the use of keys (think of them as secret encoder/decoder rings in data format). In conventional or symmetric cryptography, both ends of the transaction have the same key, which they use to decode each other's transmissions. In public or asymmetric cryptography, two keys co-exist: a public key and a private key. A person or an organization keeps their private key a secret and publishes their public key. Data encoded with the public key can only be decoded with the private key; data encoded with the private key can only be decoded with the public key.</para>
@@ -3033,51 +3023,6 @@ ErrorDocument 404 /404-not_found.html</screen>
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you must install it on your secure server.
</para>
</section>
- <section id="s2-apache-mod_ssl-keypair">
- <title>Using an Existing Key and Certificate</title>
- <para>
- If you have a previously created key and certificate, you can configure the SSL server to use these files instead of generating new ones. There are only two situations where this is not possible:
- </para>
- <orderedlist>
- <listitem>
- <para>
- <emphasis>You are changing the IP address or domain name.</emphasis>
- </para>
- <para>
- Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis>You have a certificate from VeriSign, and you are changing the server software.</emphasis>
- </para>
- <para>
- VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.
- </para>
- </listitem>
- </orderedlist>
- <para>
- In either of the above cases, you will need to obtain a new certificate. For more information on this topic, refer to <xref linkend="s2-apache-mod_ssl-genkey" />.
- </para>
- <para>
- If you wish to use an existing key and certificate, move the relevant files to the <filename class="directory">/etc/pki/tls/private/</filename> and <filename class="directory">/etc/pki/tls/certs/</filename> directories respectively. You can do so by typing the following commands:
- </para>
- <screen>~]# <command>mv</command> <filename><replaceable>key_file</replaceable>.key</filename> <filename>/etc/pki/tls/private/<replaceable>domain_name</replaceable>.key</filename>
-~]# <command>mv</command> <filename><replaceable>certificate</replaceable>.crt</filename> <filename>/etc/pki/tls/certs/<replaceable>domain_name</replaceable>.crt</filename></screen>
- <para>
- Then add the following lines to the <filename>/etc/httpd/conf.d/ssl.conf</filename> configuration file:
- </para>
- <screen>SSLCertificateFile /etc/pki/tls/certs/<replaceable>domain_name</replaceable>.crt
-SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>domain_name</replaceable>.key</screen>
- <para>
- To load the updated configuration, restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
- </para>
- <example id="example-apache-mod_ssl-keypair">
- <title>Using a key and certificate from the <application>Red Hat Secure Web Server</application></title>
- <screen>~]# <command>mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key</command>
-~]# <command>mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt</command></screen>
- </example>
- </section>
<section id="s2-secureserver-certs">
<title>Types of Certificates</title>
<para>
@@ -3147,6 +3092,61 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>domain_name</replaceable
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. Refer to <xref linkend="s2-secureserver-generatingkey" /> for instructions.
</para>
</section>
+ <section id="s2-apache-mod_ssl-enabling">
+ <title>Enabling the <systemitem class="resource">mod_ssl</systemitem> Module</title>
+ <para>
+ If you intend to set up an SSL server, make sure you have the <package>mod_ssl</package> (the <systemitem class="resource">mod_ssl</systemitem> module) and <package>openssl</package> (the OpenSSL toolkit) packages installed. To do so, type the following at a shell prompt:
+ </para>
+ <screen>~]# <command>yum install mod_ssl openssl</command></screen>
+ <para>
+ This will create the <systemitem class="resource">mod_ssl</systemitem> configuration file at <filename>/etc/httpd/conf.d/ssl.conf</filename>, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
+ </para>
+ </section>
+ <section id="s2-apache-mod_ssl-keypair">
+ <title>Using an Existing Key and Certificate</title>
+ <para>
+ If you have a previously created key and certificate, you can configure the SSL server to use these files instead of generating new ones. There are only two situations where this is not possible:
+ </para>
+ <orderedlist>
+ <listitem>
+ <para>
+ <emphasis>You are changing the IP address or domain name.</emphasis>
+ </para>
+ <para>
+ Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis>You have a certificate from VeriSign, and you are changing the server software.</emphasis>
+ </para>
+ <para>
+ VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.
+ </para>
+ </listitem>
+ </orderedlist>
+ <para>
+ In either of the above cases, you will need to obtain a new certificate. For more information on this topic, refer to <xref linkend="s2-apache-mod_ssl-genkey" />.
+ </para>
+ <para>
+ If you wish to use an existing key and certificate, move the relevant files to the <filename class="directory">/etc/pki/tls/private/</filename> and <filename class="directory">/etc/pki/tls/certs/</filename> directories respectively. You can do so by typing the following commands:
+ </para>
+ <screen>~]# <command>mv</command> <filename><replaceable>key_file</replaceable>.key</filename> <filename>/etc/pki/tls/private/<replaceable>domain_name</replaceable>.key</filename>
+~]# <command>mv</command> <filename><replaceable>certificate</replaceable>.crt</filename> <filename>/etc/pki/tls/certs/<replaceable>domain_name</replaceable>.crt</filename></screen>
+ <para>
+ Then add the following lines to the <filename>/etc/httpd/conf.d/ssl.conf</filename> configuration file:
+ </para>
+ <screen>SSLCertificateFile /etc/pki/tls/certs/<replaceable>domain_name</replaceable>.crt
+SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>domain_name</replaceable>.key</screen>
+ <para>
+ To load the updated configuration, restart the <systemitem class="service">httpd</systemitem> service as described in <xref linkend="s3-apache-running-restarting" />.
+ </para>
+ <example id="example-apache-mod_ssl-keypair">
+ <title>Using a key and certificate from the <application>Red Hat Secure Web Server</application></title>
+ <screen>~]# <command>mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key</command>
+~]# <command>mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt</command></screen>
+ </example>
+ </section>
<section id="s2-apache-mod_ssl-genkey">
<title>Generating a New Key and Certificate</title>
<para>
More information about the docs-commits
mailing list