Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.
Our root certificate: ca.crt (to be submitted to mozilla.org for inclusion in Firefox).
Create your server=certificate (if you have not yet done so):
SERVER=severname openssl genrsa -des3 -out $SERVER.key 4096
To have your certificate signed by us: prepare a CSR (Certificate Signing Request):
openssl req -new -key $SERVER.key -out $SERVER.csr
*We* will sign the CSR:
CA=ca openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt
and pass the CRT (signed server certificate) back to you..
You'll want to unlock server key - so that no password is required when starting the server:
openssl rsa -in $SERVER.key -out $SERVER.key.insecure mv $SERVER.key $SERVER.key.secure mv $SERVER.key.insecure $SERVER.key chmod 0600 $SERVER.key
and edit your apache config adding these:
SSLEngine On SSLCertificateFile /path/to/filename.crt SSLCertificateKeyFile /path?to/filename.key
more information at http://www.tc.umn.edu/~brams006/selfsign.html and http://httpd.apache.org/docs/2.0/ssl/
Information for the GPG signing party at LAC2010: read the Chapter 4. Prepairing For The Party for tasks you (participant) should prepare.. to sum it up:
gpg –gen-keybash$ gpg –list-secret-keys
/home/demo/.gnupg/secring.gpg ---------------------------- sec 1024D/C01BAFC3 2007-11-05 Demo User <demo@dublin.ie> ssb 4096g/7A4087F3 2007-11-05 bash$ gpg --edit-key C01BAFC3 Command> help Command> adduid [...] Command> save * send your key to the keyserver: bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>
You should see a success message like this:
gpg: success sending to `<keyserver>' (status=200)
bash$ gpg --fingerprint <Your_Key_ID>
Key-servers:
There are some easy to use GUI for managing keys. For example:
gpgkeys, OpenPGP/Enigmail pluginThe manual way to sign keys is as follows:
gpg –import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>
If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
bash$ gpg --fingerprint <Key_ID>
GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
bash$ gpg --sign-key <Key_ID>
If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:
bash$ gpg --version
Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:
bash$ gpg --keyserver <keyserver> --send-key <Key_ID>
You should see a success message like this:
gpg: success sending to `<keyserver>' (status=200)
Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.