Posts Tagged ‘security’

Read full article following this link:
Microsoft patches 1990s-era ‘Ping of Death’

Advertisements

Hi All,

from Fosdem, I returned with a check list about things to see and study. Today was the day dedicated to CAcert.

About CA, I never spent much time because is easy to find a howto to create a self-signed certificate. My mind was to see CA like a way to made money without sell something, so I ignored it without too much problems.

The problem borns when I changed my default browser from iceweasel to chromium. The second one seems to enjoy to remember me that my cert is not so valid because the identity of my server is not validatable. This boring thing make me think to a way to solve it possibly, without spend money.

Fosdem give me the solution: CAcert.

As they explain, joinin with the community you can get for free a CA certificate. Obvously, you need to be the owner of domain and be the one who get the email stored in whois db, but this wouldn’t be a problem.

The procedure is very easy: first of all, you have to register youself at the community. I suggest to get the client certificate to avoid all login operations. To do that, use “Client Certification”, and follows these instructions:

wget -O cacert-root.crt "http://www.cacert.org/certs/root.crt"
wget -O cacert-class3.crt "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "MyCert" -i mycert.crt

MyCert and mycert.crt are placeholder :). The file .crt is taked from CACert site.

Now we can start with server certication: first of all you have to create your certificate.

openssl req -newkey rsa:2048 -subj /CN=my.test.com -nodes -keyout mytest_key.pem -out mytest_csr.pem

After that, you’ve got two files: mytest_key.pem, mytest_csr.pem. The first is strictly private so store in a private folder for apache user (who runs apache daemon). Usually that folder is /etc/ssl/private.

With mytest_csr.pem, you have to sign that, so go to Server Certificates on CAcert site and fill the box with the content of the file (all bytes, do not forget header and footer).

Post the form and store tehe result on a file, called for example mytest_cert.pem. This is the signed certificate!!

Store it in the well known folder (on debian) /etc/ssl/certs.

Configuring apache is the last step. Before procede take a look on apache documentation for mod_ssl.

The follow is a dummy example:

<VirtualHost *:443>
ServerName my.test.com
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/ssl/certs/mytest_cert.pem
SSLCertificateKeyFile /etc/ssl/private/mytest_key.pem
SSLCertificateChainFile /etc/ssl/certs/cacert-class3.crt
...
</VirtualHost>

 
The last file (cacert-class3.crt) is the file you get before, and is enough you copy it to in correct folder.

Check apache with

apache2ctl -t

and then restart.
Enjoy.