Specifications
Installation instructions for the two most popular Web servers, Apache and IIS, are in
Appendix A, “Installing PHP 4 and MySQL.” You can begin using SSL immediately by gener-
ating your own digital certificate, but visitors to your site will be warned by their Web
browsers that you have signed your own certificate. In order to use SSL effectively, you will
also need a certificate issued by a certifying authority.
The exact process to get this varies between CAs, but in general, you will need to prove to a
CA that you are some sort of legally recognized business with a physical address and that the
business in question owns the relevant domain name.
You need to generate a Certificate Signing Request. The process for this will vary from server
to server. Instructions are on the Web sites of the CAs. Stronghold and IIS provide a dialog
box-driven process, whereas Apache requires you to type commands. However, the process is
the essentially the same for all servers. The end result is an encrypted certificate signing
request (CSR). Your CSR should look something like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBuwIBAAKBgQCLn1XX8faMHhtzStp9wY6BVTPuEU9bpMmhrb6vgaNZy4dTe6VS
84p7wGepq5CQjfOL4Hjda+g12xzto8uxBkCDO98Xg9q86CY45HZk+q6GyGOLZSOD
8cQHwh1oUP65s5Tz018OFBzpI3bHxfO6aYelWYziDiFKp1BrUdua+pK4SQIVAPLH
SV9FSz8Z7IHOg1Zr5H82oQOlAoGAWSPWyfVXPAF8h2GDb+cf97k44VkHZ+Rxpe8G
ghlfBn9L3ESWUZNOJMfDLlny7dStYU98VTVNekidYuaBsvyEkFrny7NCUmiuaSnX
4UjtFDkNhX9j5YbCRGLmsc865AT54KRu31O2/dKHLo6NgFPirijHy99HJ4LRY9Z9
HkXVzswCgYBwBFH2QfK88C6JKW3ah+6cHQ4Deoiltxi627WN5HcQLwkPGn+WtYSZ
jG5tw4tqqogmJ+IP2F/5G6FI2DQP7QDvKNeAU8jXcuijuWo27S2sbhQtXgZRTZvO
jGn89BC0mIHgHQMkI7vz35mx1Skk3VNq3ehwhGCvJlvoeiv2J8X2IQIVAOTRp7zp
En7QlXnXw1s7xXbbuKP0
-----END NEW CERTIFICATE REQUEST-----
Armed with a CSR, the appropriate fee, and documentation to prove that you exist, and having
verified that the domain name you are using is in the same name as in the business documenta-
tion, you can sign up for a certificate with a CA.
When the CA issues your certificate, you need to store it on your system and tell your Web
server where to find it. The final certificate is a text file that looks a lot like the CSR shown
previously.
Auditing and Logging
Your operating system will let you log all sorts of events. Events that you might be interested
in from a security point of view include network errors, access to particular data files such as
configuration files or the NT registry, and calls to programs such as su (used to become
another user, typically root, on a UNIX system).
E-commerce Security Issues
C
HAPTER 13
13
E-COMMERCE
SECURITY ISSUES
299
17 7842 CH13 3/6/01 3:36 PM Page 299