Interacting with SSL-Enabled Web Servers
This section describes how to obtain the server certificate and private key on two Web servers: Apache and Microsoft IIS. This section includes the following topics:
Obtaining the Server Certificate and Private KeyGenerating Self-Signed CertificatesObtaining the Server Certificate and Private Key
SSL is a protocol that enables the underlying application to transmit data securely over an insecure network. At the very foundation of SSL is the assumption that an authenticated party (for example, a Web server) has exclusive access to its private key. If any other entity has this private key, it can mount a man-in-the-middle attack on a connection to the authenticated party.
SteelHeads optimize SSL traffic when you configure the server-side SteelHead with the server's certificate and private key, which enables it to intercept all SSL connections to the server.
Apache Certificates and Private Keys
The following procedures explain how to locate the Apache server certificate and private key and import them into the server-side SteelHead.
To obtain the server certificate and private key from an Apache-based Web server
Locate the Apache httpd.conf configuration file.
Look through the file for lines beginning with SSLCertificateFile and SSLCertificateKeyFile, for example:
SSLCertificateFile /etc/foo/bar/server.crt
SSLCertificateKeyFile /etc/foo/bar/server.key
The filename following SSLCertificateFile is the server certificate. The filename following SSLCertificateKeyFile is the server private key. After you locate these files, you can import them into the server-side SteelHead configuration.
To import the certificate and private key
On the server-side SteelHead, choose Optimization > SSL: SSL Main Settings in the Management Console.
Select Add a New SSL Certificate.
Select Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats).
Under Import Private Key, select Local File, click Browse, and go to the certificate key file.
Under Import Public Certificate, select Local File, click Browse, and go to the server certificate file.
Click Add.
IIS Certificates and Private Keys
The following procedures explain how obtain the server certificate and private key from a IIS Web server and import them into the server-side SteelHead.
To obtain the server certificate and private key from an IIS Web server
From the Windows Start > Run menu, enter mmc to launch the Microsoft Management Console (MMC).
Within the IIS snap-in, go through the tree to the Web server in question. (If the IIS snap-in does not exist, choose File > Add/Remove Snap-in, select the Web server, and click Add.)
Right-click the server item and select Properties.
Select the Directory Security tab.
Select View Certificate.
Select the Details tab.
Select Copy to File.
Select Yes, export private key.
Both the certificate and the private key are now stored in a single file with the filename you specified. The filename ends with the .pfx extension.
To import the certificate and private key
On the server-side SteelHead, choose Optimization > SSL: SSL Main Settings in the Management Console.
Under SSL Server Certificates, select Add a New SSL Certificate.
Select Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats).
Under Import Single File, select Local File, click Browse, and go to the .pfx file.
Because the file .pfx file is not scrambled with a password, you can leave the Decryption Password field blank.
Click Add.
Generating Self-Signed Certificates
In certain situations you might not want to, or might not be able to, use the server's real private key. If that is the case, you can generate a self-signed certificate and private key pair for the server and install them on the server-side SteelHead. This certificate is not signed by any real certificate authority, but it is instead signed by the private key itself, and is thus called a self-signed certificate.
During SSL connection establishment, when the server-side SteelHead presents the self-signed certificate to the client (for example, a Web browser), the client cannot verify the authenticity of the certificate. From the client's point of view, security might have been compromised, and the user is typically alerted with a message to this effect.
Generating Self-Signed Certificates with Apache
A typical SSL-enabled Apache installation comes with a utility called OpenSSL, which you can use to generate the self-signed certificate. Enter the following command:
$ openssl req -new -x509 -nodes -out server.crt -keyout server.key
This command adds two files to the current directory, server.crt and server.key. These files correspond to the certificate and the private key, respectively. The next step is to import the files into the server-side SteelHead configuration.
To import the certificate and private key
On the server-side SteelHead, SteelHead, choose Optimization > SSL: SSL Main Settings in the Management Console.
Under SSL Server Certificates, select Add a New SSL Certificate.
Select Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats).
Because the file server.key is not scrambled with a password, you can leave the Decryption Password field blank.
Click Add.
Generating Self-Signed Certificates with IIS
If you want to generate a self-signed certificate for an IIS-based Web server, you have two options.
To generate self-signed certificates with IIS
Install Cygwin and include the OpenSSL package in the installation. This gives you access to the OpenSSL utility from X.2.1, which you can use to generate the certificate and private key. To install, go to http://www.cygwin.com/. —or—
Download and install a set of IIS 6.0 Resource Kit Tools from Microsoft at http://www.microsoft.com/en-us/download/details.aspx?id=17275. This package contains a utility called SelfSSL that you can use to generate a self-signed certificate and private key for a Web server. SelfSSL also automatically installs the certificate for that Web server instance of IIS, so you must follow the steps in X.1.2 to extract the certificate into a file.
SelfSSL replaces an existing certificate for a Web server instance.