This is an old revision of the document!

linuxaudio.org - SSL Certificate Authority

Page in Progres – Preparing for LAC Key sining session

SSL/Certificate

Motivation: linuxaudio.org serves as a certificate authority for the LAD community. This seems more useful than just having everyone sign their own certs.

Our root certificate: ca.crt (to be submitted to mozilla.org for inclusion in Firefox).

GPG/PGP key signing

Information for the GPG signing party at LAC2010: read the Chapter 4. Prepairing For The Party for tasks you (participant) should prepare.. to sum it up:

Preparations - GPG key generation

Generating Your Key Pair: gpg –gen-key
Modify your key if you want. For example if you have multiple email addresses and you want to list them as valid on your key:

bash$ gpg –list-secret-keys

/home/demo/.gnupg/secring.gpg
----------------------------
sec  1024D/C01BAFC3 2007-11-05 Demo User <demo@dublin.ie>
ssb  4096g/7A4087F3 2007-11-05
bash$ gpg --edit-key C01BAFC3
Command> help
Command> adduid
[...]
Command> save
* send your key to the keyserver:
bash$ gpg --keyserver <keyserver> --send-key <Your_Key_ID>

You should see a success message like this:

gpg: success sending to `<keyserver>' (status=200)

Email your info to the Coordinator telling him/her that you're coming to the key signing party. The command below will print out the information that you want to need to send to the coordinator if you're using a keyserver. You can then send that information in an encrypted email message to the coordinator.

bash$ gpg --fingerprint  <Your_Key_ID>

Key-servers:

pool.sks-keyservers.net
subkeys.pgp.net
pgp.mit.edu
ldap://certserver.pgp.com
pgpkeys.pca.dfn.de:11371

Signing Keys

There are some easy to use GUI for managing keys. For example:

gpgkeys,
Thunderbird/Icedove OpenPGP/Enigmail plugin
…

The manual way to sign keys is as follows:

Get a copy of the key: Normally, you'll be working from a keyserver. However if you are signing the key that is not available on a keyserver, you can use simply import the key with gpg –import. If you are working with a keyserver, the following command will download the key from the keyserver into your public keyring:

bash$ gpg --keyserver <keyserver> --recv-keys <Key_ID>

If you get a read error, it means the keyserver is overloaded. Please, try again in a few seconds.

Fingerprint and Verify the key

bash$ gpg --fingerprint <Key_ID>

GPG will print out the fingerprint of the Key with <Key_ID> (the key you just downloaded). Check the fingerprint against the checklist that you where given at the party. Note: Don't check the fingerprint on your checklist against the fingerprint on the web page as the server may not send you the same key it displays on the web page.

Sign the key

bash$ gpg --sign-key <Key_ID>

If you have multiple private keys, you can specify which of your private keys to sign the other persons public key with like this:

bash$ gpg --default-key <Key_to_use> --sign-key <Key_ID>

If you have trouble dealing with RSA keys, you're probably using an old version of gnupg. Versions of GnuPG older that 1.0.3 do not include RSA support. Note: You may have to uninstall an older version if your distribution installed it with package management software. You can check the version you're executing like this:

bash$ gpg --version

Return or Upload the signed key If you are working with an entity which does not want their key on a public keyserver, you should at this point you should return their signed key back to them by their method of choice - normally encrypted email. You should not send a public key to a keyserver with out the permission of the key's owner. Publicizing a public key slightly reduces the security of a key pair, therefor it is considered rude to make a key more public than its owner desires.

Most likely you are working with a keyserver. If that is the case, you can send the signed key back to the keyserver like this:

bash$ gpg --keyserver <keyserver> --send-key <Key_ID>