Differences

This shows you the differences between two versions of the page.

--- wiki:ssl_cert [2010/05/01 09:13] – created rgareus
+++ wiki:ssl_cert [2013/06/02 13:45] (current) – external edit 127.0.0.1
@@ Line 3: / Line 3: @@
 <note warning> Page in Progres -- Preparing for [[http://lac.linuxaudio.org/2010/index.php?page=program&details=1&mode=list&page=program&pdb_filterday=3&pdb_filterlocation=11&pdb_filtertype=o|LAC Key sining session]]</note>
-SSL-CA: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.
+===== SSL/Certificate =====
-Our root certificate: {{:wiki:ca.crt|ca.crt}}.
+Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.
+Our root certificate: {{:wiki:ca.crt|ca.crt}} (to be submitted to [[http://www.mozilla.org/projects/security/certs/|mozilla.org]] for inclusion in Firefox).
+Create your server=certificate (if you have not yet done so):
+  SERVER=severname
+  openssl genrsa -des3 -out $SERVER.key 4096
+To have your certificate signed by us: prepare a CSR (Certificate Signing Request):
+  openssl req -new -key $SERVER.key -out $SERVER.csr
+*We* will sign the CSR:
+  CA=ca
+  openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt
+and pass the CRT (signed server certificate) back to you..
+You'll want to unlock server key - so that no password is required when starting the server:
+  openssl rsa -in $SERVER.key -out $SERVER.key.insecure
+  mv $SERVER.key $SERVER.key.secure
+  mv $SERVER.key.insecure $SERVER.key
+  chmod 0600 $SERVER.key
+and edit your apache config adding these:
+  SSLEngine On
+  SSLCertificateFile /path/to/filename.crt
+  SSLCertificateKeyFile /path?to/filename.key
+more information at %%http://www.tc.umn.edu/~brams006/selfsign.html%% and %%http://httpd.apache.org/docs/2.0/ssl/%%
+===== GPG/PGP key signing =====
+Information for the GPG signing party at LAC2010: read the Chapter [[http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#prep|4. Prepairing For The Party]] for tasks you (participant) should prepare.. to sum it up:
+==== Preparations - GPG key generation ====
+  * Generating Your Key Pair: ''gpg --gen-key''
+  * Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:
+  bash$ gpg --list-secret-keys
+  /home/demo/.gnupg/secring.gpg
+  ----------------------------
+  sec  1024D/C01BAFC3 2007-11-05 Demo User <demo@dublin.ie>
+  ssb  4096g/7A4087F3 2007-11-05
+  bash$ gpg --edit-key C01BAFC3
+  Command> help
+  Command> adduid
+  [...]
+  Command> save
+  * send your key to the keyserver:
+  bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>
+You should see a success message like this:
+  gpg: success sending to `<keyserver>' (status=200)
+  * Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.
+  bash$ gpg --fingerprint  <Your_Key_ID>
+Key-servers:
+  * pool.sks-keyservers.net
+  * subkeys.pgp.net
+  * pgp.mit.edu
+  * %%ldap://certserver.pgp.com%%
+  * pgpkeys.pca.dfn.de:11371
+==== Signing Keys ====
+There are some easy to use GUI for managing keys. For example:
+  * ''gpgkeys'',
+  * Thunderbird/Icedove ''OpenPGP/Enigmail'' plugin
+  * ...
+The manual way to sign keys is as follows:
+  * **Get a copy of the key**: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with ''gpg --import''. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:
+  bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>
+If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
+  * **Fingerprint and Verify the key**
+  bash$ gpg --fingerprint <Key_ID>
+GPG will print out the fingerprint of the Key with ''<Key_ID>'' (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
+  * **Sign the key**
+  bash$ gpg --sign-key <Key_ID>
+If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
+  bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
+If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:
+  bash$ gpg --version
+  * **Return or Upload the signed key** If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.
+  Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:
+  bash$ gpg --keyserver <keyserver> --send-key <Key_ID>
+You should see a success message like this:
+  gpg: success sending to `<keyserver>' (status=200)
+Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.