Get Server Certificate From CACert

Wiki Index All Recent Edit Bottom

Get A Server Certificate from CACert.org

1. Introduction
1.1 Install common CA certificates
1.2 Signup at CAcert.org
1.3 Get the Certificate Signing Request Generator
1.4 Create a Private TLS
1.5 Verify the content of your request
1.6 Send your public key to be signed by CAcert.org authority
1.7 Save your server certificate
1.8 Test your server certificate

Introduction

I wanted to add TLS/SSL capability to Lighttpd, vsftpd, Postfix, Dovecot, etc and also use CACert.org to sign my certificates. This is still to be refined but is essentially accurate.

Install common CA certificates

 aptitude install ca-certificates

Signup at CAcert.org

  Once your have registered you need to add your domain (example.org, for example) and the verify the domain addition from the email that gets sent out.

Get the Certificate Signing Request Generator

 wget http://svn.cacert.org/CAcert/CSRGenerator/csr -O /usr/local/sbin/csr.sh
 chown root:root /usr/local/sbin/csr.sh
 chmod 750 /usr/local/sbin/csr.sh

Create a Private TLS

I am making a wild card certificate here. There are potential issues with this, I have not completed all the testing to see what issues this may through up.

 /usr/local/sbin/csr.sh

Sample

 Short Hostname (ie. imap big_srv www2): flexion
 FQDN/CommonName (ie. www.example.com) : *.flexion.org
 Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
 SubjectAltName: DNS:*.flexion.org
 SubjectAltName: DNS:

The Certificate request is also available in '/root/flexion_csr.pem' The Private Key is stored in '/root/flexion_privatekey.pem'

Move the files, change the ownership and permissions...

 mv /root/flexion_privatekey.pem /etc/ssl/private
 chown root:ssl-cert /etc/ssl/private/flexion_privatekey.pem
 chmod 640 /etc/ssl/private/flexion_privatekey.pem

Verify the content of your request

You should also verify on content of request with

 openssl req -in /root/flexion_csr.pem -text -verify -noout

before sending it.

Send your public key to be signed by CAcert.org authority

Request a new server certificate from CAcert.org web site. When you are asked for CSR paste content of '/root/flexion_csr.pem' to box.

https://www.cacert.org/account.php?id=10

Save your server certificate

Copy certificate from web page and put in '/etc/ssl/certs/flexion_certificate.pem' file. Remember to do...

 chown root:root /etc/ssl/certs/flexion_certificate.pem
 chmod 444 /etc/ssl/certs/flexion_certificate.pem

...so that everybody can read it. You check contents of this file with...

 openssl x509 -in /etc/ssl/certs/flexion_certificate.pem -text -noout

Validity and Subject fields should be checked at least.

Test your server certificate

You should test your server certificate like this:

 openssl verify /etc/ssl/certs/flexion_certificate.pem

If everything is working, you should see "OK", for example.

 /etc/ssl/certs/flexion_certificate.pem: OK

$Id: GetServerCertificateFromCACert,v 1.7 2008/08/11 14:40:48 martin Exp $

Wiki Index All Recent Edit Top