Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
wiki:ssl_cert [2010/05/01 11:13]
rgareus created
wiki:ssl_cert [2013/06/02 15:45] (current)
Line 3: Line 3:
 <note warning> Page in Progres -- Preparing for [[http://​lac.linuxaudio.org/​2010/​index.php?​page=program&​details=1&​mode=list&​page=program&​pdb_filterday=3&​pdb_filterlocation=11&​pdb_filtertype=o|LAC Key sining session]]</​note>​ <note warning> Page in Progres -- Preparing for [[http://​lac.linuxaudio.org/​2010/​index.php?​page=program&​details=1&​mode=list&​page=program&​pdb_filterday=3&​pdb_filterlocation=11&​pdb_filtertype=o|LAC Key sining session]]</​note>​
  
-SSL-CA: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.+===== SSL/​Certificate =====
  
-Our root certificate{{:wiki:ca.crt|ca.crt}}.+Motivationlinuxaudio.org serves as a certificate authority for the LAD communityThis seems more useful than just having everyone sign their own certs.
  
 +Our root certificate:​ {{:​wiki:​ca.crt|ca.crt}} (to be submitted to [[http://​www.mozilla.org/​projects/​security/​certs/​|mozilla.org]] for inclusion in Firefox).
  
 +Create your server=certificate (if you have not yet done so):
 +  SERVER=severname
 +  openssl genrsa -des3 -out $SERVER.key 4096
  
 +To have your certificate signed by us: prepare a CSR (Certificate Signing Request):
 +  openssl req -new -key $SERVER.key -out $SERVER.csr
 +
 +*We* will sign the CSR:
 +  CA=ca
 +  openssl x509 -req -days 365 -in $SERVER.csr -CA $CA.crt -CAkey $CA.key -set_serial 01 -out $SERVER.crt
 +
 +and pass the CRT (signed server certificate) back to you..
 +
 +You'll want to unlock server key - so that no password is required when starting the server: ​
 +  openssl rsa -in $SERVER.key -out $SERVER.key.insecure
 +  mv $SERVER.key $SERVER.key.secure
 +  mv $SERVER.key.insecure $SERVER.key
 +  chmod 0600 $SERVER.key
 +
 +and edit your apache config adding these:
 +  SSLEngine On
 +  SSLCertificateFile /​path/​to/​filename.crt
 +  SSLCertificateKeyFile /​path?​to/​filename.key
 +
 +more information at %%http://​www.tc.umn.edu/​~brams006/​selfsign.html%% and %%http://​httpd.apache.org/​docs/​2.0/​ssl/​%%
 +
 +===== GPG/PGP key signing =====
 +
 +Information for the GPG signing party at LAC2010: read the Chapter [[http://​www.cryptnet.net/​fdp/​crypto/​keysigning_party/​en/​keysigning_party.html#​prep|4. Prepairing For The Party]] for tasks you (participant) should prepare.. to sum it up:
 +
 +==== Preparations - GPG key generation ====
 +
 +  * Generating Your Key Pair: ''​gpg --gen-key''​
 +  * Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:
 +  bash$ gpg --list-secret-keys
 +  ​
 +  /​home/​demo/​.gnupg/​secring.gpg
 +  ----------------------------
 +  sec  1024D/​C01BAFC3 2007-11-05 Demo User <​demo@dublin.ie>​
 +  ssb  4096g/​7A4087F3 2007-11-05
 +  bash$ gpg --edit-key C01BAFC3
 +  Command> help
 +  Command> adduid
 +  [...]
 +  Command> save
 +  * send your key to the keyserver:
 +  bash$ gpg --keyserver <​keyserver>​ --send-key <​Your_Key_ID>​
 +You should see a success message like this:
 +  gpg: success sending to `<​keyserver>'​ (status=200)
 +
 +  * Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.
 +
 +  bash$ gpg --fingerprint ​ <​Your_Key_ID>​
 +
 +Key-servers:​
 +  * pool.sks-keyservers.net
 +  * subkeys.pgp.net
 +  * pgp.mit.edu
 +  * %%ldap://​certserver.pgp.com%%
 +  * pgpkeys.pca.dfn.de:​11371
 +
 +==== Signing Keys ====
 +
 +There are some easy to use GUI for managing keys. For example:
 +  * ''​gpgkeys'', ​
 +  * Thunderbird/​Icedove ''​OpenPGP/​Enigmail''​ plugin
 +  * ...
 +
 +The manual way to sign keys is as follows:
 +
 +  * **Get a copy of the key**: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with ''​gpg --import''​. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:
 +
 +  bash$ gpg --keyserver <​keyserver>​ --recv-keys <​Key_ID>​
 +If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.
 +
 +  * **Fingerprint and Verify the key**
 +
 +  bash$ gpg --fingerprint <​Key_ID>​
 +GPG will print out the fingerprint of the Key with ''<​Key_ID>''​ (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.
 +
 +  * **Sign the key**
 +
 +  bash$ gpg --sign-key <​Key_ID>​
 +
 +If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:
 +
 +  bash$ gpg --default-key <​Key_to_use>​ --sign-key <​Key_ID>​
 +
 +If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:
 +  bash$ gpg --version
 +
 +  * **Return or Upload the signed key** If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.
 +  Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:
 +
 +  bash$ gpg --keyserver <​keyserver>​ --send-key <​Key_ID>​
 +You should see a success message like this:
 +  gpg: success sending to `<​keyserver>'​ (status=200)
 +
 +Congratulations,​ the signature of the other entity'​s key is now complete and your signature has been incorporated into their public key. A trust path has been established.
 +  ​
wiki/ssl_cert.1272705224.txt.gz ยท Last modified: 2010/05/01 11:13 by rgareus