- SSL Certificate Authority

Page in Progres – Preparing for LAC Key sining session


Motivation: serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.

Our root certificate: ca.crt (to be submitted to for inclusion in Firefox).

Create your server=certificate (if you have not yet done so):

openssl genrsa -des3 -out $SERVER.key 4096

To have your certificate signed by us: prepare a CSR (Certificate Signing Request):

openssl req -new -key $SERVER.key -out $SERVER.csr

*We* will sign the CSR:

openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt

and pass the CRT (signed server certificate) back to you..

You'll want to unlock server key - so that no password is required when starting the server:

openssl rsa -in $SERVER.key -out $SERVER.key.insecure
mv $SERVER.key $
mv $SERVER.key.insecure $SERVER.key
chmod 0600 $SERVER.key

and edit your apache config adding these:

SSLEngine On
SSLCertificateFile /path/to/filename.crt
SSLCertificateKeyFile /path?to/filename.key

more information at and

GPG/PGP key signing

Information for the GPG signing party at LAC2010: read the Chapter 4. Prepairing For The Party for tasks you (participant) should prepare.. to sum it up:

Preparations - GPG key generation

  • Generating Your Key Pair: gpg –gen-key
  • Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:

bash$ gpg –list-secret-keys

sec  1024D/C01BAFC3 2007-11-05 Demo User <>
ssb  4096g/7A4087F3 2007-11-05
bash$ gpg --edit-key C01BAFC3
Command> help
Command> adduid
Command> save
* send your key to the keyserver:
bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>

You should see a success message like this:

gpg: success sending to `<keyserver>' (status=200)
  • Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.
bash$ gpg --fingerprint  <Your_Key_ID>


  • ldap://

Signing Keys

There are some easy to use GUI for managing keys. For example:

  • gpgkeys,
  • Thunderbird/Icedove OpenPGP/Enigmail plugin

The manual way to sign keys is as follows:

  • Get a copy of the key: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg –import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:
bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

  • Fingerprint and Verify the key
bash$ gpg --fingerprint <Key_ID>

GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

  • Sign the key
bash$ gpg --sign-key <Key_ID>

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>

If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:

bash$ gpg --version
  • Return or Upload the signed key If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.

Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:

bash$ gpg --keyserver <keyserver> --send-key <Key_ID>

You should see a success message like this:

gpg: success sending to `<keyserver>' (status=200)

Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.

wiki/ssl_cert.txt · Last modified: 2013/06/02 15:45 (external edit)