Certificates

"I yam who I yam." -- popeye.com

Public Key Infrastructure

Encryption may solve the privacy problem while our communications traverse the internet, but what if the person on the other end of the connection is not who we think they are? We also need to ensure that the "person" decrypting our bank account number and PIN is our bank and not an imposter website.

Authenticating identities is addressed via a public-key infrastructure of which Secure Sockets Layer is a component. A public-key infrastructure (PKI) integrates public-key cryptography (e.g. SSL), digital certificates, and certificate authorities into a unified security framework.

A digital certificate is a signed assertion about a public key. It may say (for example), "This secure communication is with the server rocky.uta.edu at the University of Texas at Arlington Libraries." But since anyone can create a digital certificate, what's to prevent us from fibbing? Nothing is -- that's why there are certificate authorities.

A certificate authority (CA) acts as an independent third party who validates identities. A digital certificate issued (i.e. signed) by a CA binds a particular public key to a verified server, individual, or organization.

The frugal among you may say, "Hey, I'm trustworthy, so why can't I be my own CA and save some money." You can do that, however the practical effect is that browsers will issue a security alert when a user first tries to access a secured page on your site.

Certificate Authorities

Certificate Authority ¹	40-bit	128-bit ²	Free trial	Texas ^3,4
Baltimore Technologies	N/A	$349	30 day	Yes
Digital Signature Trust	N/A	$175	No	Yes
Equifax Secure	N/A	$99	14 day	No
Thawte Consulting	$125	$300	Yes	No
VeriSign	$349	$895	14 day	Yes

The certificate authority web sites have instructions for purchasing and installing the digital certificate. See for example, the Baltimore Technologies instructions or the VeriSign instructions.

Certificates are valid for one year, and each SSL-enabled server requires a certificate. Prices accurate as of April 2, 2001. Renewal prices and/or the price of additional certificates may be less.

The CA web sites may come up short regarding how to generate a key and Certificate Signing Request (CSR) for Apache with mod_ssl. For additional help, see:

the man page for openssl
the README.CSR file (/your_path_to/apache/conf/ssl.csr/README.CSR)
VeriSign's modssl and ApacheSSL instructions (These two make more sense taken together than they do separately.)

Browser and server support

If the CA web site does not explicitly list Apache as a supported server, look for Stronghold (the commercial version of Apache with mod_ssl). If Stronghold is supported, you should be okay.

Most of the CA's are forthright about browser and/or browser version support. VeriSign seems to offer the most support for older versions of Internet Explorer and Netscape Navigator.

It's easy to check which CA's a particular browser supports (and also discover CAs in addition to those listed above). In Netscape select Security > Certificates > Signers. In Internet Explorer select Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities.

Notes

There are many additional certificate authority services than the ones listed here. VeriSign is generally considered the leading provider.
With a 128-bit certificate, you get a possible 40, 56, or 128-bit SSL connection, depending on the user's browser.
A "Yes" means the Certificate Authority is on the approved list of PKI service providers for official State of Texas websites.
According to SRRPUB11, "...[State of Texas] government entities should plan on using 128 bit encryption and/or provide a warning to the user if they elect to provide information using only 40 bit encryption."

Quote note: The fictional Popeye actually said, "I yam what I yam," but who seemed more germane to a discussion about identities. My apologies to the Popeye purists. -- mdd