Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionLast revisionBoth sides next revision | ||
wiki:ssl_cert [2010/05/01 11:13] – created rgareus | wiki:ssl_cert [2010/05/02 15:29] – rgareus | ||
---|---|---|---|
Line 3: | Line 3: | ||
<note warning> Page in Progres -- Preparing for [[http:// | <note warning> Page in Progres -- Preparing for [[http:// | ||
- | SSL-CA: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs. | + | ===== SSL/ |
- | Our root certificate: {{:wiki:ca.crt|ca.crt}}. | + | Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs. |
+ | Our root certificate: | ||
+ | Create your server=certificate (if you have not yet done so): | ||
+ | SERVER=severname | ||
+ | openssl genrsa -des3 -out $SERVER.key 4096 | ||
+ | To have your certificate signed by us: prepare a CSR (Certificate Signing Request): | ||
+ | openssl req -new -key $SERVER.key -out $SERVER.csr | ||
+ | |||
+ | *We* will sign the CSR: | ||
+ | CA=ca | ||
+ | openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt | ||
+ | |||
+ | and pass the CRT (signed server certificate) back to you.. | ||
+ | |||
+ | You'll want to unlock server key - so that no password is required when starting the server: | ||
+ | openssl rsa -in $SERVER.key -out $SERVER.key.insecure | ||
+ | mv $SERVER.key $SERVER.key.secure | ||
+ | mv $SERVER.key.insecure $SERVER.key | ||
+ | chmod 0600 $SERVER.key | ||
+ | |||
+ | and edit your apache config adding these: | ||
+ | SSLEngine On | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | more information at %%http:// | ||
+ | |||
+ | ===== GPG/PGP key signing ===== | ||
+ | |||
+ | Information for the GPG signing party at LAC2010: read the Chapter [[http:// | ||
+ | |||
+ | ==== Preparations - GPG key generation ==== | ||
+ | |||
+ | * Generating Your Key Pair: '' | ||
+ | * Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key: | ||
+ | bash$ gpg --list-secret-keys | ||
+ | | ||
+ | / | ||
+ | ---------------------------- | ||
+ | sec 1024D/ | ||
+ | ssb 4096g/ | ||
+ | bash$ gpg --edit-key C01BAFC3 | ||
+ | Command> help | ||
+ | Command> adduid | ||
+ | [...] | ||
+ | Command> save | ||
+ | * send your key to the keyserver: | ||
+ | bash$ gpg --keyserver < | ||
+ | You should see a success message like this: | ||
+ | gpg: success sending to `< | ||
+ | |||
+ | * Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator. | ||
+ | |||
+ | bash$ gpg --fingerprint | ||
+ | |||
+ | Key-servers: | ||
+ | * pool.sks-keyservers.net | ||
+ | * subkeys.pgp.net | ||
+ | * pgp.mit.edu | ||
+ | * %%ldap:// | ||
+ | * pgpkeys.pca.dfn.de: | ||
+ | |||
+ | ==== Signing Keys ==== | ||
+ | |||
+ | There are some easy to use GUI for managing keys. For example: | ||
+ | * '' | ||
+ | * Thunderbird/ | ||
+ | * ... | ||
+ | |||
+ | The manual way to sign keys is as follows: | ||
+ | |||
+ | * **Get a copy of the key**: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with '' | ||
+ | |||
+ | bash$ gpg --keyserver < | ||
+ | If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds. | ||
+ | |||
+ | * **Fingerprint and Verify the key** | ||
+ | |||
+ | bash$ gpg --fingerprint < | ||
+ | GPG will print out the fingerprint of the Key with ''< | ||
+ | |||
+ | * **Sign the key** | ||
+ | |||
+ | bash$ gpg --sign-key < | ||
+ | |||
+ | If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this: | ||
+ | |||
+ | bash$ gpg --default-key < | ||
+ | |||
+ | If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this: | ||
+ | bash$ gpg --version | ||
+ | |||
+ | * **Return or Upload the signed key** If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires. | ||
+ | Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this: | ||
+ | |||
+ | bash$ gpg --keyserver < | ||
+ | You should see a success message like this: | ||
+ | gpg: success sending to `< | ||
+ | |||
+ | Congratulations, | ||
+ | |