====== linuxaudio.org - SSL Certificate Authority ======
Page in Progres -- Preparing for [[http://lac.linuxaudio.org/2010/index.php?page=program&details=1&mode=list&page=program&pdb_filterday=3&pdb_filterlocation=11&pdb_filtertype=o|LAC Key sining session]]
===== SSL/Certificate =====
Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.
Our root certificate: {{:wiki:ca.crt|ca.crt}} (to be submitted to [[http://www.mozilla.org/projects/security/certs/|mozilla.org]] for inclusion in Firefox).
Create your server=certificate (if you have not yet done so):
SERVER=severname
openssl genrsa -des3 -out $SERVER.key 4096
To have your certificate signed by us: prepare a CSR (Certificate Signing Request):
openssl req -new -key $SERVER.key -out $SERVER.csr
*We* will sign the CSR:
CA=ca
openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt
and pass the CRT (signed server certificate) back to you..
You'll want to unlock server key - so that no password is required when starting the server:
openssl rsa -in $SERVER.key -out $SERVER.key.insecure
mv $SERVER.key $SERVER.key.secure
mv $SERVER.key.insecure $SERVER.key
chmod 0600 $SERVER.key
and edit your apache config adding these:
SSLEngine On
SSLCertificateFile /path/to/filename.crt
SSLCertificateKeyFile /path?to/filename.key
more information at %%http://www.tc.umn.edu/~brams006/selfsign.html%% and %%http://httpd.apache.org/docs/2.0/ssl/%%
===== GPG/PGP key signing =====
Information for the GPG signing party at LAC2010: read the Chapter [[http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#prep|4. Prepairing For The Party]] for tasks you (participant) should prepare.. to sum it up:
==== Preparations - GPG key generation ====
* Generating Your Key Pair: ''gpg --gen-key''
* Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:
bash$ gpg --list-secret-keys
/home/demo/.gnupg/secring.gpg
----------------------------
sec 1024D/C01BAFC3 2007-11-05 Demo User
ssb 4096g/7A4087F3 2007-11-05
bash$ gpg --edit-key C01BAFC3
Command> help
Command> adduid
[...]
Command> save
* send your key to the keyserver:
bash$ gpg --keyserver --send-key
You should see a success message like this:
gpg: success sending to `' (status=200)
* Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.
bash$ gpg --fingerprint
Key-servers:
* pool.sks-keyservers.net
* subkeys.pgp.net
* pgp.mit.edu
* %%ldap://certserver.pgp.com%%
* pgpkeys.pca.dfn.de:11371
==== Signing Keys ====
There are some easy to use GUI for managing keys. For example:
* ''gpgkeys'',
* Thunderbird/Icedove ''OpenPGP/Enigmail'' plugin
* ...
The manual way to sign keys is as follows:
* **Get a copy of the key**: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with ''gpg --import''. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:
bash$ gpg --keyserver --recv-keys
If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
* **Fingerprint and Verify the key**
bash$ gpg --fingerprint
GPG will print out the fingerprint of the Key with '''' (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
* **Sign the key**
bash$ gpg --sign-key
If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
bash$ gpg --default-key --sign-key
If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:
bash$ gpg --version
* **Return or Upload the signed key** If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.
Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:
bash$ gpg --keyserver --send-key
You should see a success message like this:
gpg: success sending to `' (status=200)
Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.