SSL Part 2: CAcert Introduction

From The Uniform Server Wiki
Jump to navigation Jump to search

MPG UniCenter

SSL Part 2: Home | Lock Down | No IP | hMailServer | Config hMailServer | PHP mail function | Generate CSR | CAcert | CAcert Signing Process

CAcert
Signed Certificate Project
Uniform Server 3.5-Apollo

Uc intro cacert.gif

CAcert is a community driven Certificate Authority issuing free certificates with no hidden or implied charges. They are a worldwide team of professionals, fighting for individuals right to Internet security through the use of encryption.

CAcert offer a wide range of certificates, for example you can obtain one for use with your email program to encrypt and prove to friends and family your email really does come from you. Ever wanted to protect your POP3, SMTP and IMAP connections then take a look at their site or perhaps you are after a wild card certificate they also have that covered.

We are interested in server security and obtaining a server certificate, interestingly I came across a statement that they don't limit the strength of certificates, not true they do! OK the minimum strength you can request is 1024, upper limit is dictated by the processing power of an end user device for example a PDA’s ability to deal with a very strong encryption key of 4096 is probably too high.

Alternatives

There are several alternatives search the Internet for free CA’s, two worth looking at are Thawte and Comodo. It’s difficult to make a recommendation always read the small print. In particular check the renewal period this can vary from three to six months. Everyone has different requirements hence worth doing a little research.

Validation

For this write-up I choose CAcert their certificates are genuinely free and they force a rigorous validation system on you.

That said the process is not difficult to use, it is fully automated, if you make a mistake no need to feel intimidated just have another go.

The process really is easy to use however if you have problems that you cannot resolve send CAcert a support request. Don’t be surprised at a quick and friendly response that’s the way they work.

Top

Process Overview

For new users there are three steps required to obtain a signed certificate:

  1. Join CAcert; fill in their online registration form. On successful completion an email will be sent to the address you supplied. To confirm you originated the request click the link contained in the email.
  2. With your account active, login and register the domain name you require a certificate for. This requires you to have a mail server running at that domain address. Validation is performed using a mail probe. On detecting your mail server a conformation email is sent to that server’s email address. This email contains a link you must click within two days; you are taken to a secure page, complete the validation process by clicking on the confirmation link.
  3. Obtaining a signed certificate is straightforward copy-paste your CSR into the on-line form. Click the submit button; your certificate is automatically signed and displayed, copy this certificate into your server certificate file (server.crt) that’s it done. A conformation email will be sent to your registration address.

Note 1: Once you have registered you only need to repeat steps 2 and 3 for each domain you require a certificate for.

Note 2: You are dealing with a Unix system that does not tolerate sloppy and insecure passwords give this some though before registration see details below. In addition the process assumes you run a Unix box and inherently have a mail server running hence the reason for installing hMailServer.

Note 3: After updating your server certificate Apache requires re-starting to pick-up the new information.

Top

Step 1) Join CAcert

You can find CAcert at http://www.cacert.org/, to register click the “Join” link, top right of page.

The concept of long random passwords (pass phrase) is probably alien to most Windows users don’t even think about something like fred123 because that will get you no where. A secure pass phrase is essential once you know what is required it’s not that difficult to create, follow the notes below and you should have no problems.

Once the system accepts your form a conformation email will be sent to your registration email address. This email contains a link clicking it confirms acceptance and completes your registration.

The following provides a little more detail:

Registration form main fields

Uc 1 cacert reg form.gif

Comments regarding registration form

Creating a valid pass phrase is probably the most difficult part of registration for guidance they provide an example. The eight steps shown below will help in creating a valid pass phrase.

Remainder of the form is straightforward and should not present a problem.

If you cannot remember your pass phrase it can be retrieved. The system will present you with a question and answer scenario. It’s a random question taken from the five questions and responses you supply. Don’t go over the top keep them simple.

Password (Pass Phrase)
  1. Shall not contain your name or part of your name
  2. Shall not contain your email or part of your email
  3. Shall contain at least 1 lower case letter
  4. Shall contain at least 1 upper case letter
  5. Shall contain at least 1 space (hence the term phrase)
  6. Shall contain at least one symbol
  7. Shall not contain an English word
  8. Shall have a minimum of 15 characters (30 or more ideal)

Note 1: Your registration email address is used after successfully creating a signed certificate. A confirmation email is sent, you can ignore this or click the link to pick-up your certificate, I am sure you will have already copied your certificate! This email strikes me as an additional security feature, check the link and make sure it corresponds to a certificate you requested for signing if not contact CAcert immediately.

Note 2: Important before signing-up please take time and read CAcert’s Privacy policy and Community Agreement as a member you need to known what your commitments and rights are. You are joining a professional organisation and they expect this to be precipitated, benefiting the community as a whole.

Top

Step 2) Registering a domain

A signed certificate contains one very important verifiable piece of information and that’s the domain name. A domain name is unique, CAcert verifies this using an email probe to access a mail server associated with that domain name. All domains you require a signed certificate for must first be verified, the following details that process.

1) Login

Go to CAcert's home page, to the right under under My Account click Password Login

At the login page enter your Email Address and Pass Phrase click Login.

Uc cacert ca1.gif

2) Add new Domain

To the right expand the Domains menu click on Add

Uc cacert ca2.gif

3) Enter a Domain Name

Enter the domain name (mpg123.no-ip) you wish to verify and click Add

Note: Make sure your email server is running before clicking Add.

Uc cacert ca3.gif

4) Select Email Account

Select one of the standard email accounts.

Our hMailServer uses the account postmaster hence that was selected.

Click Probe (This start the verification process)

Uc cacert ca4.gif

5) Verification - by CAcert

After a short time the message shown on the right will be displayed. This confirms the probe was successful.

Note: The email was sent to your email server and NOT your registration email address.

The domain ‘mpg123.no-ip.org’ has been added to the system, however before any certificates for this can be issued you need to open the link in a browser that has been sent to your email address

6) Verification - by You

After either clicking the link or copying it in to your browser address bar a page is displayed with three options as shown on the right.

Click Yes verify this domain.

Uc cacert ca5.gif

7) Verification Complete

After clicking the link your verified domain name is stored in a database ready for use.

Uc cacert ca6.gif

8) View Verified Domains

In step 2) you can click view, this displays all domains that have been verified.

Good house keeping, remember to delete any unused domains.

Uc cacert ca7.gif

Top

General Notes

The domain name verification process requires an email server associated with the domain name. This can be an email server running on your PC as described above.

The alternative is to point your domain MX records to some other mail server that you use. Free accounts such as DnyDNS and No-IP do not allow you to change MX records, this is not a problem because the SMPT protocol defaults to using the domain name should an MX record not exist, all that means is you must have a mail server running on your PC.

Summary

The registration process is relatively easy as is domain validation. Obtaining a signed certificate you will be please to know is very quick and painless, this I cover on the next page.

Top


Uc small logo.gif Ric