SSL Part 2: CAcert Introduction
CAcert is a community driven Certificate Authority issuing free certificates with no hidden or implied charges. They are a worldwide team of professionals, fighting for individuals right to Internet security through the use of encryption.
CAcert offer a wide range of certificates, for example you can obtain one for use with your email program to encrypt and prove to friends and family your email really does come from you. Ever wanted to protect your POP3, SMTP and IMAP connections then take a look at their site or perhaps you are after a wild card certificate they also have that covered.
We are interested in server security and obtaining a server certificate, interestingly I came across a statement that they don't limit the strength of certificates, not true they do! OK the minimum strength you can request is 1024, upper limit is dictated by the processing power of an end user device for example a PDA’s ability to deal with a very strong encryption key of 4096 is probably too high.
There are several alternatives search the Internet for free CA’s, two worth looking at are Thawte and Comodo. It’s difficult to make a recommendation always read the small print. In particular check the renewal period this can vary from three to six months. Everyone has different requirements hence worth doing a little research.
For this write-up I choose CAcert their certificates are genuinely free and they force a rigorous validation system on you.
That said the process is not difficult to use, it is fully automated, if you make a mistake no need to feel intimidated just have another go.
The process really is easy to use however if you have problems that you cannot resolve send CAcert a support request. Don’t be surprised at a quick and friendly response that’s the way they work.
For new users there are three steps required to obtain a signed certificate:
- Join CAcert; fill in their online registration form. On successful completion an email will be sent to the address you supplied. To confirm you originated the request click the link contained in the email.
- With your account active, login and register the domain name you require a certificate for. This requires you to have a mail server running at that domain address. Validation is performed using a mail probe. On detecting your mail server a conformation email is sent to that server’s email address. This email contains a link you must click within two days; you are taken to a secure page, complete the validation process by clicking on the confirmation link.
- Obtaining a signed certificate is straightforward copy-paste your CSR into the on-line form. Click the submit button; your certificate is automatically signed and displayed, copy this certificate into your server certificate file (server.crt) that’s it done. A conformation email will be sent to your registration address.
Note 1: Once you have registered you only need to repeat steps 2 and 3 for each domain you require a certificate for.
Note 2: You are dealing with a Unix system that does not tolerate sloppy and insecure passwords give this some though before registration see details below. In addition the process assumes you run a Unix box and inherently have a mail server running hence the reason for installing hMailServer.
Note 3: After updating your server certificate Apache requires re-starting to pick-up the new information.
Step 1) Join CAcert
You can find CAcert at http://www.cacert.org/, to register click the “Join” link, top right of page.
The concept of long random passwords (pass phrase) is probably alien to most Windows users don’t even think about something like fred123 because that will get you no where. A secure pass phrase is essential once you know what is required it’s not that difficult to create, follow the notes below and you should have no problems.
Once the system accepts your form a conformation email will be sent to your registration email address. This email contains a link clicking it confirms acceptance and completes your registration.
The following provides a little more detail:
Registration form main fields
Note 1: Your registration email address is used after successfully creating a signed certificate. A confirmation email is sent, you can ignore this or click the link to pick-up your certificate, I am sure you will have already copied your certificate! This email strikes me as an additional security feature, check the link and make sure it corresponds to a certificate you requested for signing if not contact CAcert immediately.
Step 2) Registering a domain
A signed certificate contains one very important verifiable piece of information and that’s the domain name. A domain name is unique, CAcert verifies this using an email probe to access a mail server associated with that domain name. All domains you require a signed certificate for must first be verified, the following details that process.
Go to CAcert's home page, to the right under under My Account click Password Login
At the login page enter your Email Address and Pass Phrase click Login.
2) Add new Domain
To the right expand the Domains menu click on Add
3) Enter a Domain Name
Enter the domain name (mpg123.no-ip) you wish to verify and click Add
Note: Make sure your email server is running before clicking Add.
4) Select Email Account
Select one of the standard email accounts.
Our hMailServer uses the account postmaster hence that was selected.
Click Probe (This start the verification process)
5) Verification - by CAcert
After a short time the message shown on the right will be displayed. This confirms the probe was successful.
Note: The email was sent to your email server and NOT your registration email address.
The domain ‘mpg123.no-ip.org’ has been added to the system, however before any certificates for this can be issued you need to open the link in a browser that has been sent to your email address
6) Verification - by You
After either clicking the link or copying it in to your browser address bar a page is displayed with three options as shown on the right.
Click Yes verify this domain.
7) Verification Complete
After clicking the link your verified domain name is stored in a database ready for use.
8) View Verified Domains
In step 2) you can click view, this displays all domains that have been verified.
Good house keeping, remember to delete any unused domains.
The domain name verification process requires an email server associated with the domain name. This can be an email server running on your PC as described above.
The alternative is to point your domain MX records to some other mail server that you use. Free accounts such as DnyDNS and No-IP do not allow you to change MX records, this is not a problem because the SMPT protocol defaults to using the domain name should an MX record not exist, all that means is you must have a mail server running on your PC.
The registration process is relatively easy as is domain validation. Obtaining a signed certificate you will be please to know is very quick and painless, this I cover on the next page.