CAcert
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Assurer
http://www.pengdows.com/images/cacert-wotseal73.gif
I'm CAcert assurer, able to attribute you up to 35 points as I've 150 points
- I passed the CATS Challenge with 100% (it requires 80%, I did 84% then 84% then 88% then 100% and got bored ;-) )
Misc infos
- What can CAcert provide to you, to increase your privacy and security for free?
- The Education Client Certificate I should use to encrypt my request for an official "paper" certificate (to have passed the test, not a digital certificate!)
I copied the link here as I could not right-click on their page to save it... - Get the client certificate out of Firefox/Iceweasel as PKCS #12 backup file and convert it to PEM (here example without pwd for the key!)
openssl pkcs12 -in mycert.p12 -nocerts -nodes -out mycert.key.pem openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt.pem openssl pkcs12 -in mycert.p12 -cacerts -nokeys -out mycert.ca.pem
- For server certificates: if using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments. Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
SSLCertificateFile <Path to your certificate file>/example_cert.pem SSLCertificateKeyFile <Path to your key file>/example_key.pem SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem
- See here for the csr.sh script to generate proper requests
- See Using CACert certificates with OpenVPN
old story
- I tried to get the client certificate out of Firefox/Iceweasel as it repeatedly told me "Failed to create the PKCS #12 backup file for unknown reasons"
The bug is now solved: #469079: remove libnss3 and keep only libnss3-1d
Alternatives
Forms
python -c "import sys, urllib as ul; name=ul.quote_plus(sys.argv[1]); dob=sys.argv[2]; email=ul.quote_plus(sys.argv[3]); \ assurer=ul.quote_plus('Philippe Y. F. Teuwen'); print 'https://secure.cacert.org/cap.php?name='\ +name+'+&dob='+dob+'&email='+email+'&assurer='+assurer+'+&date=now&maxpoints=35'" "Firstname Lastname" yyyy-mm-dd email@address
Personal notes
When renewing the certificate, change it in:
- Apache config:
- /etc/apache2/ssl/myserver.crt
- /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: CAcert_chain.pem
/etc/init.d/apache2 restart
- Exim config:
- /etc/exim4/exim.crt
/etc/init.d/exim4 restart
- IMAP config:
- /etc/courier/imapd.pem Beware this file contains also the private key! Overwrite only the certificate section!
/etc/init.d/courier-authdaemon restart /etc/init.d/courier-imap restart /etc/init.d/courier-imap-ssl restart
- OpenVPN config:
- /etc/openvpn/myserver.pem
- /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: CAcert_chain.pem
/etc/init.d/openvpn restart
- Global CA list:
mkdir /usr/local/share/ca-certificates/cacert.org wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt update-ca-certificates