Installing the U.S./Canada SSL Module

See the latest News which includes information about the SSL status.

SSL Installation Process:

1. Get the SSL module: See the latest News which includes information about the SSL status.

2. Install the SSL module: See the latest News which includes information about the SSL status.

3. Configure a virtual server with the ordinary nssock driver: You must access the virtual server you are enabling SSL on through the ordinary sockets driver until SSL is properly configured. Once SSL is configured, you may remove the nssock module.

   Access the setup server by opening the /NS/Setup URL from any browser. The setup server is normally listening on port 9876. Either create a new virtual server and load the nssock module in it, or choose an existing virtual server with the nssock module already loaded. For information on configuration, see Chapter 3. For details on configuring the nssock module, see the "Setting a Port or IP Address for a Virtual Server (nssock module)" section.

4. Load the SSL module into the virtual server: While still in the setup server, add the SSL module to the virtual server you want to enable SSL on. The SSL module will not listen on a port yet, but it will add the administrative utilities that you need to configure it. Then, manually restart AOLserver to see the effects of your changes.

5. Open the AOLserver Administration page: After you restart the AOLserver, open the AOLserver Administration page on the virtual server that has the SSL module loaded by opening the /NS/Admin URL. The Administration page will now have a new link for the SSL module called Secure Socket Layer Control.

6. Install the Server Key: SSL uses public key encryption, so you will need an RSA key pair (a public key and a private key).
   • If you do not already have a key pair, generate a key pair as follows:

   1. Follow the Secure Socket Layer Control link from the Administration page.

   2. Follow the Generate a new key pair link.

   3. Fill out and submit the form. It can take as long as a minute for the key pair to be generated, so don't worry when the server doesn't respond immediately.

      Filename: The server private key (which contains the server public key) is saved in PEM format. We recommend that you use a file name like <server_home>/servers/<virtual server name>/key.pem

      Modulus size in bits: This specifies the size of the server's public and private keys, not the size of the session keys used during transactions. We recommend 1024.

   4. Write down the key file name here. Later, you'll need to enter the filename to complete configuration of the SSL module.

      Key File: ___________________________________________________

   • If you already have a key pair from a Netscape Commerce Server installation, convert your Netscape key for use with AOLserver as follows:

   1. Follow the Secure Socket Layer Control link from the Administration page.

   2. Follow the Change key format link.

   3. Fill out and submit the form. Select the "Netscape format" radio button for input and the "PEM format" radio button for output. The Netscape key requires a pass phrase (password). AOLserver does not require you to use a pass phrase.

      Input Filename: The pathname of the Netscape key. It's usually ServerKey.der. On Windows NT, for instance, it's probably something like:

          c:\netscape\ns-home\https-443\config\ServerKey.der
      

      Output Filename: The server private key (which contains the server public key) is saved out in PEM format. We recommend that you use a file name like:

          <server home>/servers/<virtual server name>/key.pem.
      

   4. Write down the key file name here. Later, you'll need to enter the filename to complete configuration of the SSL module.

      Key File: ___________________________________________________

   After you have a key, you need to tell the AOLserver where to find it. Access the Setup Server by opening the /NS/Setup URL on any browser. The Setup Server usually runs on port 9876. Choose the virtual server with the SSL module loaded and specify the key in the KeyFile parameter of the SSL module.

7. Install the Server Certificate: To prove its identity to the client, the server needs a certificate signed by a trusted third party (a Certification Authority.)
   • If you do not have a certificate, generate a certificate request and email it to VeriSign (a Certification Authority) as follows:

   1. Follow the Secure Socket Layer Control link from the Administration page.

   2. Follow the Generate a certificate request link.

   3. Fill out and submit the form. The Certificate Request consists of "Distinguished Name" signed with the server's private key which gets sent to the CA (Certification Authority.) The CA verifies all the information in the Distinguished Name and then signs the request with their private key. The certificate request signed by the CA private key is the emailed back to you as the server certificate.

      Key Info's Filename: The filename of the server private key. You should have this written down from an early step.

      Certificate Info's Filename: The certificate request is saved out in PEM format so it can be sent via email. It looks very much like a uuencoded file. Email the output file to aolserver-request-id@verisign.com.

      Common Name: In the Common Name field you should enter the fully qualified hostname/path used in DNS lookups that the server will be running on (e.g., hostname.verisign.com). The wild card character "*" is no longer supported in the Common Name field.

      Organization: The Organization Name you specify should be the legal name that your organization is "Registered" as. What does registered mean? An organization can a be a corporation, a limited partnership, etc. In each case the organization "registered" with some authority at the state, country or city level. The formal name of the organization must be used in the Organization Name field. VeriSign personnel will request this legal document.

      Organizational Unit: The Organizational Unit (or Org-unit) field is optional. This field can be used to differentiate between different divisions within an organization, for example "Electronic Commerce Pilot" or "Human Resources". This field is also recommended to be used for specifying a DBA (Doing Business As...) value. There are no specific requirements as to the use of this field.

      Locality: The Locality field is also optional in most situations. This field usually denotes the city that the organization resides in. If the organization only has local-standing by virtue of having a business license registered with the city (and not with the state or province), then the Locality field must contain the name of the city. The State or Province field must be included if the Locality field is used.

      State Or Province: The State or Province field is not optional in most cases. If the organization is registered with ANSI then state is optional. If you do not know then your organization is most likely not registered with ANSI. If your organization is incorporated in Delaware but has a DBA (Doing Business As...) within California, use California. The State or Province field should not be an abbreviated field. "CA" is not a valid state name. "California" is the proper state name, instead.

      Country: The X.500 Naming Scheme standards requires a 2 character country code. The country code for the United States is US, Canada is CA. If you are in a different country and do not know your country code please send email to webmaster@verisign.com.

   4. Email the output file to aolserver-request-id@verisign.com. You should get an automatic reply which tells you which documents to send to VeriSign. Please allow 3 to 5 working days to get your digital certificate via email.

   • If you have a certificate from a Netscape Commerce Server installation, convert your Netscape certificate for use with AOLserver as follows:

   1. Follow the Secure Socket Layer Control link from the Administration page.

   2. Follow the Change certificate format link.

   3. Fill out and submit the form. Select the "Netscape format" radio button for input and the "PEM format" radio button for output.

      Input Filename: The pathname of the Netscape certificate. It's usually ServerCert.der. On Windows NT, for instance, it's probably something like:

          c:\netscape\ns-home\https-443\config\ServerCert.der 
      

      Output Filename: The server certificate is saved out in PEM format. We recommend that you use a file name like:

          <server home>/servers/<virtual server name>/cert.pem 
      

   4. Write down the certificate file name here. Later, you'll need to enter the filename to complete configuration of the SSL module.

      Certificate File: _____________________________________________

   After you have a certificate, you need to tell the AOLserver where to find it. Access the Setup Server by opening the /NS/Setup URL on any browser. The Setup Server usually runs on port 9876. Choose the virtual server with the SSL module loaded and specify the certificate in the CertFile parameter of the SSL module.

8. Optionally, remove the sock driver: Once your SSL-configured virtual server is completely configured, you may delete the nssock module from that virtual server, because it is no longer needed. However, you can leave both the nssock and nsssl modules loaded in the virtual server if you want the server to be able to listen on both secured and unsecured ports.

   To remove the sock driver, access the Setup Server by opening the /NS/Setup URL on any browser (usually port 9876), choose the virtual server with the SSL module loaded, and delete the nssock module.