====== linuxaudio.org - SSL Certificate Authority ======

<note warning> Page in Progres -- Preparing for [[http://lac.linuxaudio.org/2010/index.php?page=program&details=1&mode=list&page=program&pdb_filterday=3&pdb_filterlocation=11&pdb_filtertype=o|LAC Key sining session]]</note>

===== SSL/Certificate =====

Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.

Our root certificate: {{:wiki:ca.crt|ca.crt}} (to be submitted to [[http://www.mozilla.org/projects/security/certs/|mozilla.org]] for inclusion in Firefox).

Create your server=certificate (if you have not yet done so):
  SERVER=severname
  openssl genrsa -des3 -out $SERVER.key 4096

To have your certificate signed by us: prepare a CSR (Certificate Signing Request):
  openssl req -new -key $SERVER.key -out $SERVER.csr

*We* will sign the CSR:
  CA=ca
  openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt

and pass the CRT (signed server certificate) back to you..

You'll want to unlock server key - so that no password is required when starting the server: 
  openssl rsa -in $SERVER.key -out $SERVER.key.insecure
  mv $SERVER.key $SERVER.key.secure
  mv $SERVER.key.insecure $SERVER.key
  chmod 0600 $SERVER.key

and edit your apache config adding these:
  SSLEngine On
  SSLCertificateFile /path/to/filename.crt
  SSLCertificateKeyFile /path?to/filename.key

more information at %%http://www.tc.umn.edu/~brams006/selfsign.html%% and %%http://httpd.apache.org/docs/2.0/ssl/%%

===== GPG/PGP key signing =====

Information for the GPG signing party at LAC2010: read the Chapter [[http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#prep|4. Prepairing For The Party]] for tasks you (participant) should prepare.. to sum it up:

==== Preparations - GPG key generation ====

  * Generating Your Key Pair: ''gpg --gen-key''
  * Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:
  bash$ gpg --list-secret-keys
  
  /home/demo/.gnupg/secring.gpg
  ----------------------------
  sec  1024D/C01BAFC3 2007-11-05 Demo User <demo@dublin.ie>
  ssb  4096g/7A4087F3 2007-11-05
  bash$ gpg --edit-key C01BAFC3
  Command> help
  Command> adduid
  [...]
  Command> save
  * send your key to the keyserver:
  bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>
You should see a success message like this:
  gpg: success sending to `<keyserver>' (status=200)

  * Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.

  bash$ gpg --fingerprint  <Your_Key_ID>

Key-servers:
  * pool.sks-keyservers.net
  * subkeys.pgp.net
  * pgp.mit.edu
  * %%ldap://certserver.pgp.com%%
  * pgpkeys.pca.dfn.de:11371

==== Signing Keys ====

There are some easy to use GUI for managing keys. For example:
  * ''gpgkeys'', 
  * Thunderbird/Icedove ''OpenPGP/Enigmail'' plugin
  * ...

The manual way to sign keys is as follows:

  * **Get a copy of the key**: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with ''gpg --import''. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:

  bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>
If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

  * **Fingerprint and Verify the key**

  bash$ gpg --fingerprint <Key_ID>
GPG will print out the fingerprint of the Key with ''<Key_ID>'' (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

  * **Sign the key**

  bash$ gpg --sign-key <Key_ID>

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

  bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>

If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:
  bash$ gpg --version

  * **Return or Upload the signed key** If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.
  Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:

  bash$ gpg --keyserver <keyserver> --send-key <Key_ID>
You should see a success message like this:
  gpg: success sending to `<keyserver>' (status=200)

Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.