HTTPS is an encrypted version of HTTP implemented through the Secure Socket Layer, SSL, standard. The encrypted secure connection is created by running an ordinary HTTP connection on top of an encrypted SSL connection. Except for this, HTTPS is like HTTP.

Creating a HTTPS port
To set up a HTTPS port you enter the protocol, HTTPS, and port number, by default 443, as you would for an HTTP port. When you press the Use these values button you will get two new options, Certificate file and Key file. If your certificate also contains your private RSA key you only need to fill in the Certificate file option. Otherwise you will have to fill in both options. The demo certificate included with Challenger contains the private RSA key, while the certificates you get from a Certificate Authority does not. It is not possible to run HTTPS IP-less. This is because the certificate contains the name of the web site and the certificate is used before the server gets a chance to see the Host header of the HTTP protocol.

Certificates
One fundamental property of secure communication is that you must be certain whom you are communicating with. On the Internet you use DNS to find a web server, but DNS is not secure. Therefore, you need to be able to check that DNS really connected you to the right web server.

This is done through certificates. A certificate is digitally signed by a Certificate Authority, and contains information about the web server. The browser can check that the information and the digital signature are correct, as long as it knows about the Certificate Authority that has issued the certificate.

In order to get a real certificate, you must first create a certificate signing request and then send that request to a Certificate Authority, who will then check that you are whom you claim to be, and then give you a certificate that they have digitally signed.

It is also possible to create your own self-signed certificates. This goes against the whole idea of certificates, since they don't really provide any added security. Therefore browsers will show a warning dialog when they encounter a web site with a self-signed certificate. But the self-signed certificate might do until you get a real certificate.

Generating an RSA key pair
The certificates and digital signatures used are based upon public key cryptography and the RSA algorithm. It essentially works by creating a key pair, where one key can decrypt what the other key has encrypted. One key in the pair becomes your public key that you give to the world, the other key becomes your private key, which you keep secret. This last thing, to key your private key secret, is important, for anyone who has your private key can decrypt the traffic from your web site, even though you are using HTTPS. You should consider running your secure web server on a machine with few users and high security, to make it hard for others to get hold of the private key. If you want many users to be able to modify the web site, it is advisable to consider running an extra, separate server for doing the HTTPS part. That server could then use the HTTP Relay module to relay requests to the normal web server.

You can generate an RSA key pair with the Security/Generate a new RSA key pair... action. You should keep on to the key pair since you will need it later, after you get your signed certificate.

Creating a certificate signing request
The next step is to create a certificate signing request. This is done through the Security/Generate a Certificate Signing Request for an RSA key.... You will need an RSA key pair to run this action. This action will prompt you for information about your organization and your web site. When you have filled in all information it will generate a standard certificate signing request that you can send to a Certificate Authority, such as VeriSign or Thawte.

Creating a self-signed certificate
You create a self-signed certificate with the action Security/Generate a RSA key and a self-signed certificate.... It creates a RSA key file as well as a certificate file.

Demo certificate
Included with Challenger is a demo certificate, server/demo_certificate.pem. It will be used by the installation script when installing a Challenger server which uses HTTPS for its configuration port. It should however be changed as soon as possible to a self-signed certificate, or even better a real certificate. Since anybody that downloads Roxen Challenger gets the same certificate, it is possible to eavesdrop on the encrypted traffic if the demo certificate is used.