h ttps://URL, this simply means that the owner of the website payed Verisign or someone a large chunk of money. That's it. Unfortunat ely, the general public aren't aware of this fact, and web browsers don't make them aware of it. Even for advanced users who are aware of t his, there are no real tools to assign levels of trust. Instead, there is a binary authenticated or not authenticated.
Getting some Certificates
Setting up a CAcert.org account
/dev/randomand use that a s your passphrase. Of course, this isn't memorable, so you should store it in some form of AES-encrypted file (I use kwallet).
mydomain.dom, you now want to generate a server certificate for it, and for subdo mains like
# unencrypted, 4096-bit key openssl genrsa -out privkey.pem 4096 # alternatively, encrypted openssl genrsa -des3 -out privkey.pem 4096
# generate certificate signing request openssl req -new -key privkey.pem -out cert.csr # will ask some questions # CommonName is domain name! # display contents cat cert.csr
cert.csrfile. You can then copy the signed server certificate from their website.
priv key.pemfile in your favourite text editor and paste the signed certificate (including the delimiter lines) after the existing priva te key. You can then generally point your application at this file and it will be happy.
Setting up Specific Applications
Apache 2 Server
SSLEngine On), add the server certificate with the line:
Apache 2 Client Authentication
SSLVerifyClient require SSLCACertificateFile /usr/share/ca-certificates/cacert.org/cacert.org.crt SSLOptions +FakeBasicAuth AuthName "Tourmaline Server Control" AuthType basic AuthUserFile /var/www/www.lwithers.me.uk/access/site Require valid-user
/CN=CAcert WoT User/emailAddressfirstname.lastname@example.org:...
htpasswd2 /passwd/file "/CN=...me.uk"
.pemfile (should be owned by e.g.
mail:rootand mode 0400). Put this somewhere sensible. Then simply edit your configuration files to point at this: