Web Server Management: Securing Access to Web Servers

Jon Warbrick

University of Cambridge Computing Service

This course covers the "HTTPS" (secure HTTP) protocol, which can protect communication between web browsers and web servers. This is presented from the point of view of a web server administrator who wishes to configure servers to support such communication. The course includes an outline of the operation and features of the protocol, and covers the practical configuration of an Apache server under Linux. The general principles covered apply to Apache on other platforms, and to other web servers, thought the details will vary.

The course covers other aspects of web server security only in passing, and does not cover general web server installation or configuration issues. A basic understanding of the way that web servers operate, along with some experience of configuring and administering such servers, either on shared or personal machines, is assumed.

The course web site at http://www-uxsup.csx.cam.ac.uk/~jw35/courses/using_https/ contains an up-to-date copy of these notes and related resources. Requests for assistance by members of the University on the material covered here can be e-mailed to

Table of Contents
1. Orientation
1.1. What is HTTPS?
1.2. What does HTTPS give you?
1.3. A heads-up about security in general
1.4. The problem with politics
2. A crash course in cryptography
2.1. Symmetric ciphers
2.2. Public-key ciphers
2.3. Key exchange
2.4. Message digests
2.5. Digital signatures
2.6. Public key certificates
2.7. Certification Authorities and "Public Key Infrastructure"
2.8. The TLS process
2.9. The downside of using HTTPS
3. Creating keys and certificates
3.1. Creating a RSA public key pair
3.2. Viewing the key pair
3.3. Creating a CSR
3.4. Creating a key and a CSR at the same time
3.5. Viewing the CSR
3.6. Getting a real certificate
3.7. Viewing the certificate
3.8. Self-signed certificates
4. Configuring Apache to support TLS
4.1. Basic Apache configuration
4.2. Virtual hosts and HTTPS
4.3. Initial HTTPS configuration
4.4. Tuning the configuration
4.5. Working around browser bugs
4.6. Logging
4.7. Doing HTTP and HTTPS for the same hostname
4.8. Client Certificates
5. Other issues
5.1. Additional Directives
5.2. Proxying HTTPS
5.3. Extended Validation
5.4. Server Gated Cryptography
A. References and further information
A.1. Certification Authorities
A.2. General information on cryptography, SSL and HTTPS
A.3. Software
A.4. Standards