CHAPTER 4 Basic Tasks
4.10 Setting up Virtual Server SSL Security
Zeus Web Server enables you to set up 128 bit SSL security18 on individual Virtual Servers. Zeus Web Server can generate the necessary SSL certificates and private key files for configuring SSL support, and provides an easy way to manage them. It can also deploy these files automatically on every machine in your cluster.
To simplify setting up SSL support for individual Virtual Servers, Zeus Web Server uses SSL certificate sets. Each certificate set consists of an SSL certifi- cate and its associated private key file. Zeus Web Server automatically gener- ates the private key file, and leads you through the process of getting an SSL certificate signed by an external Certification Authority.
Using Certificate Sets
To create and manage certificate sets, use the Certificate Set Management page. Access this by clicking the SSL Certificates link in the Web Controller menu. This page enables you to:
• Create a new certificate set
Zeus Web Server enables you to create certificate sets, automatically gen- erating a private key and an SSL certificate. For more information, see
Creating a Certificate Set on page 69.
• Import existing files into a certificate set.
Use this to create a certificate set from any existing private keys and SSL certificates. Do this to enable Zeus Web Server to manage them for you, and automatically deploy them on all the machines in your cluster. For
further information, see Importing Existing Files into a Certificate Set on page 71.
• View the currently configured certificate sets
The page displays a table of existing certificate sets, and enables you to configure them. Initially there are no certificate sets defined. For more information about this, see Managing Certificate Sets on page 71.
Creating a Certificate Set
Before you can use SSL security on a Virtual Server you must create a certifi- cate set, composed of a private key and an SSL certificate. Zeus Web Server generates the private key file for you, and enables you to select which type of SSL certificate to create, from the following:
• A self-signed certificate
Self-signed certificates are simple and fast to create, but are only useful for security testing on your system, and should not be used for live web sites. If you use a self-signed certificate to secure your web site, visitors may see a warning when they first view the web pages, because the cer- tificate has not been signed by a recognized Certificate Authority (CA). Users will need to accept the certificate to continue viewing the web site. If you create a self-signed certificate, you can upgrade it to a signed cer- tificate later. For information on how to do this, see Issuing a Certificate
Signing Request on page 72.
• A certificate signed by VeriSign
Certificates signed by VeriSign can be used to implement SSL security on live web sites. Zeus Web Server leads you through the process of request- ing a signed certificate from the VeriSign web site. Once the request has been made, you may have to wait several days before receiving the certif- icate. Note that VeriSign charge for this service.
• A certificate signed by another Certification Authority
Signed certificates, suitable for implementing SSL security on live web sites, can be obtained from a number of Certification Authorities other than VeriSign. Zeus Web Server enables you to generate a Certificate
the response you receive. For further details, see Issuing a Certificate
Signing Request on page 72.
To create a certificate set, do the following:
1) On the Certificate Set Management page, click the Create button. 2) Choose whether you want to create a self-signed certificate, or one
signed by a CA, by clicking the appropriate radio button, then click the OK button.
3) Enter the required SSL certificate information, as described in Entering
Certificate Set Information on page 70, and follow the on-screen prompts
to complete the process.
The new certificate set appears in the list of certificate sets on the certificate set management page.
Entering Certificate Set Information
When creating a certificate set, enter the following information:
• The certificate set name. This is used within Zeus Web Server to refer to the certificate set. The name must be unique, and can contain letters, numbers, hyphens, dots and underscores, but no spaces. It also cannot start with an underscore.
• The web site name. This is the name of the web site that this certificate is registered to. Enter just the host name, without any directories, for example, www.zeus.com.
• The name of your organization. This is the full legal name of your company or organization, and should not contain abbreviations except Inc., Corp., and so on.
• Your organizational unit. This optional field identifies your department within your organization.
• Your location. This is the full name of your town or city.
• Your state or province. This field is optional if you are located outside the United States.
• Your country. This must be entered as a standard two letter country code19.
• The private key size. Select the size of the private key that Zeus Web Server generates. A larger private key is more secure than a smaller one, but can make SSL transactions slower.
Importing Existing Files into a Certificate Set
If you have existing pairs of private keys and SSL certificate files, import each pair into a certificate set so that you can use them with Zeus Web Server. You can do this by clicking the Import button and then doing the following: • You can upload the files into a certificate set, so that they are fully
managed by Zeus Web Server. This is recommended because it enables Zeus Web Server to automatically deploy the files onto other machines in your cluster, when necessary.
• You can create an unmanaged certificate set by specifying the location of the files, but without Zeus Web Server managing them in any way. If you do this, it is your responsibility to copy the files to the correct location on all the machines in your cluster.
Note:
i
Specifying a directory instead of a file when importing files into a Certificate Set may confuse your browser and cause it to lock up.
Managing Certificate Sets
The certificate set management page displays details of all the currently configured certificate sets. It enables you to create new ones and delete existing ones, as well as helping you with the process of getting certificates signed.
19.
The ISO3166 country code list can be found at: http://www.iso.org/iso/en/prods- services/iso3166ma/02iso-3166-code-lists/list-en1.html.
The table of configured certificate sets displays the following details for each one:
• The certificate set name. Click this link to view details about the SSL certificate contained within the certificate set.
• The certificate’s web site. An SSL certificate is registered to a web site, and can only be used to provide security for that web site.
• How the SSL certificate was signed.
• When the SSL certificate expires. This is displayed in red if the certificate is to expire within the next month.
• A link to an action that can be performed on this certificate in order to sign it. If the certificate set is self-signed, this is a link to the certificate
signing request page (see Issuing a Certificate Signing Request on
page 72 for details). If the certificate is part of the way through a signing request, use this link to continue the signing process.
Deleting a Certificate Set
To delete a certificate set, click its Delete check box, then click the Delete button. This removes the certificate set from the list, and deletes its private key and SSL certificate files.
Issuing a Certificate Signing Request
To get an SSL certificate signed by a Certification Authority (CA), send them a Certificate Signing Request (CSR). Zeus Web Server automatically generates this for you when you are creating a signed certificate. The CSR appears in a standard text format that you copy and paste into the Certification
Authority’s web site. The CSR contains all the details that you entered when creating the SSL certificate.
Once the CA has returned a signed certificate to you, copy and paste it into the Signed Certificate section of the Getting Your Certificate Signed by a
Certification Authority page. Click the OK button to update the certificate