Difference between revisions of "CAcert"

From YobiWiki
Jump to navigation Jump to search
 
(14 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
http://www.pengdows.com/images/cacert-wotseal73.gif
 
http://www.pengdows.com/images/cacert-wotseal73.gif
   
I'm [https://www.cacert.org/index.php CAcert] assurer, able to attribute you up to 10 points
+
I'm [https://www.cacert.org/index.php CAcert] assurer, able to attribute you up to 35 points as I've 150 points
* I've currently 107 points
 
 
* I passed the [https://cats.cacert.org CATS Challenge] with 100% (it requires 80%, I did 84% then 84% then 88% then 100% and got bored ;-) )
 
* I passed the [https://cats.cacert.org CATS Challenge] with 100% (it requires 80%, I did 84% then 84% then 88% then 100% and got bored ;-) )
   
Line 9: Line 8:
 
* [http://www.cacert.org/index.php?id=19 What can CAcert provide to you, to increase your privacy and security for free?]
 
* [http://www.cacert.org/index.php?id=19 What can CAcert provide to you, to increase your privacy and security for free?]
 
* The [https://cats.cacert.org/education_2010.crt Education Client Certificate] I should use to encrypt my request for an official "paper" certificate (to have passed the test, not a digital certificate!)<br>I copied the link here as I could not right-click on their page to save it...
 
* The [https://cats.cacert.org/education_2010.crt Education Client Certificate] I should use to encrypt my request for an official "paper" certificate (to have passed the test, not a digital certificate!)<br>I copied the link here as I could not right-click on their page to save it...
* I tried to get the client certificate out of Firefox/Iceweasel as it repeatedly told me "Failed to create the PKCS #12 backup file for unknown reasons"<br>The bug is now identified and about to be solved: [http://bugs.debian.org/469079 #469079]: remove libnss3 and keep only libnss3-1d
+
* Get the client certificate out of Firefox/Iceweasel as PKCS #12 backup file and convert it to PEM (here example without pwd for the key!)
  +
openssl pkcs12 -in mycert.p12 -nocerts -nodes -out mycert.key.pem
 
  +
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt.pem
  +
openssl pkcs12 -in mycert.p12 -cacerts -nokeys -out mycert.ca.pem
 
* For server certificates: if using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the [http://wiki.cacert.org/wiki/SimpleApacheCert?action=AttachFile&do=get&target=CAcert_chain.pem attachments]. Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.<br>Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
 
* For server certificates: if using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the [http://wiki.cacert.org/wiki/SimpleApacheCert?action=AttachFile&do=get&target=CAcert_chain.pem attachments]. Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.<br>Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
 
SSLCertificateFile <Path to your certificate file>/example_cert.pem
 
SSLCertificateFile <Path to your certificate file>/example_cert.pem
 
SSLCertificateKeyFile <Path to your key file>/example_key.pem
 
SSLCertificateKeyFile <Path to your key file>/example_key.pem
 
SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem
 
SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem
  +
* See [https://wiki.cacert.org/VhostTaskForce#Easy_way_to_generate_CSRs_with_subjectAltNames here] for the [http://guillaume.romagny.free.fr/evaldo/csr.sh csr.sh] script to generate proper requests
  +
* See [[Virtual_Private_Networks#Using_CACert_certificates_with_OpenVPN|Using CACert certificates with OpenVPN]]
  +
  +
==old story==
  +
* I tried to get the client certificate out of Firefox/Iceweasel as it repeatedly told me "Failed to create the PKCS #12 backup file for unknown reasons"<br>The bug is now solved: [http://bugs.debian.org/469079 #469079]: remove libnss3 and keep only libnss3-1d<br>
   
 
==Alternatives==
 
==Alternatives==
 
* [http://cert.startcom.org/ StartCom Free SSL Certification Authority]
 
* [http://cert.startcom.org/ StartCom Free SSL Certification Authority]
  +
==Forms==
  +
python -c "import sys, urllib as ul; name=ul.quote_plus(sys.argv[1]); dob=sys.argv[2]; email=ul.quote_plus(sys.argv[3]); \
  +
assurer=ul.quote_plus('Philippe Y. F. Teuwen'); print 'https://secure.cacert.org/cap.php?name='\
  +
+name+'+&dob='+dob+'&email='+email+'&assurer='+assurer+'+&date=now&maxpoints=35'" "Firstname Lastname" yyyy-mm-dd email@address
  +
==Personal notes==
  +
When renewing the certificate, change it in:
  +
* Apache config:
  +
** /etc/apache2/ssl/myserver.crt
  +
** /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: [http://wiki.cacert.org/wiki/SimpleApacheCert?action=AttachFile&do=get&target=CAcert_chain.pem CAcert_chain.pem]
  +
/etc/init.d/apache2 restart
  +
  +
* Exim config:
  +
** /etc/exim4/exim.crt
  +
/etc/init.d/exim4 restart
  +
  +
* IMAP config:
  +
** /etc/courier/imapd.pem Beware this file contains also the private key! Overwrite only the certificate section!
  +
/etc/init.d/courier-authdaemon restart
  +
/etc/init.d/courier-imap restart
  +
/etc/init.d/courier-imap-ssl restart
  +
  +
* OpenVPN config:
  +
** /etc/openvpn/myserver.pem
  +
** /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: [http://wiki.cacert.org/wiki/SimpleApacheCert?action=AttachFile&do=get&target=CAcert_chain.pem CAcert_chain.pem]
  +
/etc/init.d/openvpn restart
  +
  +
* Global CA list:
  +
mkdir /usr/local/share/ca-certificates/cacert.org
  +
wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
  +
update-ca-certificates

Latest revision as of 22:00, 21 September 2014

Assurer

http://www.pengdows.com/images/cacert-wotseal73.gif

I'm CAcert assurer, able to attribute you up to 35 points as I've 150 points

  • I passed the CATS Challenge with 100% (it requires 80%, I did 84% then 84% then 88% then 100% and got bored ;-) )

Misc infos

openssl pkcs12 -in mycert.p12 -nocerts -nodes -out mycert.key.pem
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mycert.p12 -cacerts -nokeys -out mycert.ca.pem
  • For server certificates: if using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments. Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
    Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
SSLCertificateFile <Path to your certificate file>/example_cert.pem
SSLCertificateKeyFile <Path to your key file>/example_key.pem
SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem

old story

  • I tried to get the client certificate out of Firefox/Iceweasel as it repeatedly told me "Failed to create the PKCS #12 backup file for unknown reasons"
    The bug is now solved: #469079: remove libnss3 and keep only libnss3-1d

Alternatives

Forms

python -c "import sys, urllib as ul; name=ul.quote_plus(sys.argv[1]); dob=sys.argv[2]; email=ul.quote_plus(sys.argv[3]); \
assurer=ul.quote_plus('Philippe Y. F. Teuwen'); print 'https://secure.cacert.org/cap.php?name='\
+name+'+&dob='+dob+'&email='+email+'&assurer='+assurer+'+&date=now&maxpoints=35'" "Firstname Lastname" yyyy-mm-dd email@address

Personal notes

When renewing the certificate, change it in:

  • Apache config:
    • /etc/apache2/ssl/myserver.crt
    • /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: CAcert_chain.pem
/etc/init.d/apache2 restart
  • Exim config:
    • /etc/exim4/exim.crt
/etc/init.d/exim4 restart
  • IMAP config:
    • /etc/courier/imapd.pem Beware this file contains also the private key! Overwrite only the certificate section!
/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart
  • OpenVPN config:
    • /etc/openvpn/myserver.pem
    • /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: CAcert_chain.pem
/etc/init.d/openvpn restart
  • Global CA list:
mkdir /usr/local/share/ca-certificates/cacert.org
wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
update-ca-certificates