Table of Contents

linuxaudio.org - SSL Certificate Authority

Page in Progres – Preparing for LAC Key sining session

SSL/Certificate

Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.

Our root certificate: ca.crt (to be submitted to mozilla.org for inclusion in Firefox).

Create your server=certificate (if you have not yet done so):

SERVER=severname
openssl genrsa -des3 -out $SERVER.key 4096

To have your certificate signed by us: prepare a CSR (Certificate Signing Request):

openssl req -new -key $SERVER.key -out $SERVER.csr

*We* will sign the CSR:

CA=ca
openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt

and pass the CRT (signed server certificate) back to you..

You'll want to unlock server key - so that no password is required when starting the server:

openssl rsa -in $SERVER.key -out $SERVER.key.insecure
mv $SERVER.key $SERVER.key.secure
mv $SERVER.key.insecure $SERVER.key
chmod 0600 $SERVER.key

and edit your apache config adding these:

SSLEngine On
SSLCertificateFile /path/to/filename.crt
SSLCertificateKeyFile /path?to/filename.key

more information at http://www.tc.umn.edu/~brams006/selfsign.html and http://httpd.apache.org/docs/2.0/ssl/

GPG/PGP key signing

Information for the GPG signing party at LAC2010: read the Chapter 4. Prepairing For The Party for tasks you (participant) should prepare.. to sum it up:

Preparations - GPG key generation

bash$ gpg –list-secret-keys

/home/demo/.gnupg/secring.gpg
----------------------------
sec  1024D/C01BAFC3 2007-11-05 Demo User <demo@dublin.ie>
ssb  4096g/7A4087F3 2007-11-05
bash$ gpg --edit-key C01BAFC3
Command> help
Command> adduid
[...]
Command> save
* send your key to the keyserver:
bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>

You should see a success message like this:

gpg: success sending to `<keyserver>' (status=200)
bash$ gpg --fingerprint  <Your_Key_ID>

Key-servers:

Signing Keys

There are some easy to use GUI for managing keys. For example:

The manual way to sign keys is as follows:

bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

bash$ gpg --fingerprint <Key_ID>

GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

bash$ gpg --sign-key <Key_ID>

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>

If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:

bash$ gpg --version

Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:

bash$ gpg --keyserver <keyserver> --send-key <Key_ID>

You should see a success message like this:

gpg: success sending to `<keyserver>' (status=200)

Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.