CAcert and network security

Posted: 15/02/2011 in System Administration
Tags: , ,

Hi All,

from Fosdem, I returned with a check list about things to see and study. Today was the day dedicated to CAcert.

About CA, I never spent much time because is easy to find a howto to create a self-signed certificate. My mind was to see CA like a way to made money without sell something, so I ignored it without too much problems.

The problem borns when I changed my default browser from iceweasel to chromium. The second one seems to enjoy to remember me that my cert is not so valid because the identity of my server is not validatable. This boring thing make me think to a way to solve it possibly, without spend money.

Fosdem give me the solution: CAcert.

As they explain, joinin with the community you can get for free a CA certificate. Obvously, you need to be the owner of domain and be the one who get the email stored in whois db, but this wouldn’t be a problem.

The procedure is very easy: first of all, you have to register youself at the community. I suggest to get the client certificate to avoid all login operations. To do that, use “Client Certification”, and follows these instructions:

wget -O cacert-root.crt ""
wget -O cacert-class3.crt ""
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "" -i cacert-root.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n " Class 3" -i cacert-class3.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "MyCert" -i mycert.crt

MyCert and mycert.crt are placeholder :). The file .crt is taked from CACert site.

Now we can start with server certication: first of all you have to create your certificate.

openssl req -newkey rsa:2048 -subj / -nodes -keyout mytest_key.pem -out mytest_csr.pem

After that, you’ve got two files: mytest_key.pem, mytest_csr.pem. The first is strictly private so store in a private folder for apache user (who runs apache daemon). Usually that folder is /etc/ssl/private.

With mytest_csr.pem, you have to sign that, so go to Server Certificates on CAcert site and fill the box with the content of the file (all bytes, do not forget header and footer).

Post the form and store tehe result on a file, called for example mytest_cert.pem. This is the signed certificate!!

Store it in the well known folder (on debian) /etc/ssl/certs.

Configuring apache is the last step. Before procede take a look on apache documentation for mod_ssl.

The follow is a dummy example:

<VirtualHost *:443>
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/ssl/certs/mytest_cert.pem
SSLCertificateKeyFile /etc/ssl/private/mytest_key.pem
SSLCertificateChainFile /etc/ssl/certs/cacert-class3.crt

The last file (cacert-class3.crt) is the file you get before, and is enough you copy it to in correct folder.

Check apache with

apache2ctl -t

and then restart.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s