5.3.4 Set Up Your Certificates
There are two ways to set up your site??™s certificates: create your own and sign them
yourself; or create your own and have a commercial site sign them. Commercial signatures
generally require payment of an annual fee.
Table 5-5 shows a few of the commercial sites that sign certificates. There are many
more than we show here. Use your favorite search engine to find more.
Before you can have your certificate signed, you need to create one. This is required
because of security. You should never (and we mean never) send (or in any manner
expose) your private key over the Internet. Remember, your private key is private
and must remain so in order to be safe and effective.
This means that you cannot buy a certificate over the Internet and have it delivered
via email or downloaded to your machine.* Instead, you must create your own certificate,
and then send the public key to the certificate authority to be signed. Doing so
is OK because the public key is world-visible and because the signature needs to be
attached to the public part that is sent to others.
5.3.4.1 Create a certificate
The first step to create your own certificates is to decide where on the filesystem they
may safely be stored. For email purposes, we suggest /etc/mail/CA or a similar path
that is writable only by root, and where the private subdirectory under it is readable
only by root.
Pages:
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394