CAcert
Revision as of 23:37, 24 March 2014 by <bdi>PhilippeTeuwen</bdi> (talk | contribs)
Assurer
http://www.pengdows.com/images/cacert-wotseal73.gif
I'm CAcert assurer, able to attribute you up to 35 points as I've 150 points
- I passed the CATS Challenge with 100% (it requires 80%, I did 84% then 84% then 88% then 100% and got bored ;-) )
Misc infos
- What can CAcert provide to you, to increase your privacy and security for free?
- The Education Client Certificate I should use to encrypt my request for an official "paper" certificate (to have passed the test, not a digital certificate!)
I copied the link here as I could not right-click on their page to save it... - Get the client certificate out of Firefox/Iceweasel as PKCS #12 backup file and convert it to PEM (here example without pwd for the key!)
openssl pkcs12 -in mycert.p12 -nocerts -nodes -out mycert.key.pem openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt.pem openssl pkcs12 -in mycert.p12 -cacerts -nokeys -out mycert.ca.pem
- For server certificates: if using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments. Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
SSLCertificateFile <Path to your certificate file>/example_cert.pem SSLCertificateKeyFile <Path to your key file>/example_key.pem SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem
- See here for the csr.sh script to generate proper requests
- See Using CACert certificates with OpenVPN
old story
- I tried to get the client certificate out of Firefox/Iceweasel as it repeatedly told me "Failed to create the PKCS #12 backup file for unknown reasons"
The bug is now solved: #469079: remove libnss3 and keep only libnss3-1d
Alternatives
Forms
python -c "import sys, urllib as ul; name=ul.quote_plus(sys.argv[1]); dob=sys.argv[2]; email=ul.quote_plus(sys.argv[3]); \ assurer=ul.quote_plus('Philippe Y. F. Teuwen'); print 'https://secure.cacert.org/cap.php?name='\ +name+'+&dob='+dob+'&email='+email+'&assurer='+assurer+'+&date=now&maxpoints=35'" "Firstname Lastname" yyyy-mm-dd email@address
Personal notes
When renewing the certificate, change it in:
- Apache config:
- /etc/apache2/ssl/myserver.crt
- /etc/apache2/ssl/CAcert_chain.pem : renew it too if still using the md5-signed class 3, it's here: CAcert_chain.pem
/etc/init.d/apache2 restart
- Exim config:
- /etc/exim4/exim.crt
/etc/init.d/exim4 restart
- IMAP config:
- /etc/courier/imapd.pem Beware this file contains also the private key! Overwrite only the certificate section!
/etc/courier# /etc/init.d/courier-authdaemon restart /etc/init.d/courier-imap restart /etc/init.d/courier-imap-ssl restart