Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
wiki:ssl_cert [2010/05/01 11:13] – created rgareuswiki:ssl_cert [2013/06/02 15:45] (current) – external edit 127.0.0.1
Line 3: Line 3:
 <note warning> Page in Progres -- Preparing for [[http://lac.linuxaudio.org/2010/index.php?page=program&details=1&mode=list&page=program&pdb_filterday=3&pdb_filterlocation=11&pdb_filtertype=o|LAC Key sining session]]</note> <note warning> Page in Progres -- Preparing for [[http://lac.linuxaudio.org/2010/index.php?page=program&details=1&mode=list&page=program&pdb_filterday=3&pdb_filterlocation=11&pdb_filtertype=o|LAC Key sining session]]</note>
  
-SSL-CA: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.+===== SSL/Certificate =====
  
-Our root certificate{{:wiki:ca.crt|ca.crt}}.+Motivationlinuxaudio.org serves as a certificate authority for the LAD communityThis seems more useful than just having everyone sign their own certs.
  
 +Our root certificate: {{:wiki:ca.crt|ca.crt}} (to be submitted to [[http://www.mozilla.org/projects/security/certs/|mozilla.org]] for inclusion in Firefox).
  
 +Create your server=certificate (if you have not yet done so):
 +  SERVER=severname
 +  openssl genrsa -des3 -out $SERVER.key 4096
  
 +To have your certificate signed by us: prepare a CSR (Certificate Signing Request):
 +  openssl req -new -key $SERVER.key -out $SERVER.csr
 +
 +*We* will sign the CSR:
 +  CA=ca
 +  openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt
 +
 +and pass the CRT (signed server certificate) back to you..
 +
 +You'll want to unlock server key - so that no password is required when starting the server: 
 +  openssl rsa -in $SERVER.key -out $SERVER.key.insecure
 +  mv $SERVER.key $SERVER.key.secure
 +  mv $SERVER.key.insecure $SERVER.key
 +  chmod 0600 $SERVER.key
 +
 +and edit your apache config adding these:
 +  SSLEngine On
 +  SSLCertificateFile /path/to/filename.crt
 +  SSLCertificateKeyFile /path?to/filename.key
 +
 +more information at %%http://www.tc.umn.edu/~brams006/selfsign.html%% and %%http://httpd.apache.org/docs/2.0/ssl/%%
 +
 +===== GPG/PGP key signing =====
 +
 +Information for the GPG signing party at LAC2010: read the Chapter [[http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#prep|4. Prepairing For The Party]] for tasks you (participant) should prepare.. to sum it up:
 +
 +==== Preparations - GPG key generation ====
 +
 +  * Generating Your Key Pair: ''gpg --gen-key''
 +  * Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:
 +  bash$ gpg --list-secret-keys
 +  
 +  /home/demo/.gnupg/secring.gpg
 +  ----------------------------
 +  sec  1024D/C01BAFC3 2007-11-05 Demo User <demo@dublin.ie>
 +  ssb  4096g/7A4087F3 2007-11-05
 +  bash$ gpg --edit-key C01BAFC3
 +  Command> help
 +  Command> adduid
 +  [...]
 +  Command> save
 +  * send your key to the keyserver:
 +  bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>
 +You should see a success message like this:
 +  gpg: success sending to `<keyserver>' (status=200)
 +
 +  * Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.
 +
 +  bash$ gpg --fingerprint  <Your_Key_ID>
 +
 +Key-servers:
 +  * pool.sks-keyservers.net
 +  * subkeys.pgp.net
 +  * pgp.mit.edu
 +  * %%ldap://certserver.pgp.com%%
 +  * pgpkeys.pca.dfn.de:11371
 +
 +==== Signing Keys ====
 +
 +There are some easy to use GUI for managing keys. For example:
 +  * ''gpgkeys'', 
 +  * Thunderbird/Icedove ''OpenPGP/Enigmail'' plugin
 +  * ...
 +
 +The manual way to sign keys is as follows:
 +
 +  * **Get a copy of the key**: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with ''gpg --import''. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:
 +
 +  bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>
 +If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
 +
 +  * **Fingerprint and Verify the key**
 +
 +  bash$ gpg --fingerprint <Key_ID>
 +GPG will print out the fingerprint of the Key with ''<Key_ID>'' (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
 +
 +  * **Sign the key**
 +
 +  bash$ gpg --sign-key <Key_ID>
 +
 +If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
 +
 +  bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>
 +
 +If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:
 +  bash$ gpg --version
 +
 +  * **Return or Upload the signed key** If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.
 +  Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:
 +
 +  bash$ gpg --keyserver <keyserver> --send-key <Key_ID>
 +You should see a success message like this:
 +  gpg: success sending to `<keyserver>' (status=200)
 +
 +Congratulations, the signature of the other entity's key is now complete and your signature has been incorporated into their public key. A trust path has been established.
 +  
wiki/ssl_cert.1272705224.txt.gz · Last modified: 2010/05/01 11:13 by rgareus