SSL Part 2: CAcert Signing Process
With our domain verified and CSR (certificate signing request) created its time to look at CAcert's signing process. In reality its just a two-way copy and paste exersise. The following is a continuation from the previous page hence the section numbering
Step 3) Signing Process
The file server.csr is referred to as a CSR (certificate signing request) it contains our unsigned server certificate. The following provides detailed steps required to get it signed at CAcert:
Go to CAcert's home page, to the right under under My Account click Password Login
At the login page enter your Email Address and Pass Phrase click Login.
2) New Certificate
To the right expand the Server Certificates menu click on New
3) Paste CSR into form
Using a text editor open the file server.csr located in folder:
and copy the contents to form shown on the right.
Click Submit this starts the signing process.
4) Request for conformation
Details in your CSR are checked all items are removed other than the CommonName.
Confirm this is correct by clicking Submit.
5) Certificate generation
After a short time your signed certificate is displayed and a conformation email sent to your registration email address.
Using a text editor open the file server.crt (Location: *\Uniform Server\udrive\usr\local\apache2\conf\ssl.crt ), delecte it's content.
Copy your signed server certificate (see right) into it and save.
For the certificate to take effect re-start your server.
6) Viewing Certificates
In step 2) you can click view, this displays all certificate you own.
Clicking on the Common name will display the certicate.
Check a box click renew or revoke/delete to mantainfn your certificate.
Obtaining a signed certificate really is that easy copy and paste twice.
Real world experience
I have included this section because things do not always run smoothly when this happens you need support. I was extremely impressed with CAcert’s support team and would like to express my thanks to Teus and Philipp.
The registration process was relatively easy I confess to having several attempts at a valid pass phrase.
First experience obtaining a signed server certificate, I originally used my registered domain name and pointed the MX records to my ISP’s mail sever the whole process ran flawlessly.
My real goal was to use a free dynamic IP service such as DynDNS and No-IP. This requires running a local mail server and that’s where I had some problems. Verification failed using OM3, thinking CAcert blocked the above services I put in a support request and found they don’t. OM3 is still in beta; hence I tried Mercury mail transport as an alternative. This passed the mail probe test however I noticed a few strange characters in the conformation link. I removed these and obatained validation.
Thinking there was a problem sent in another support request, the reply and solution was fast and spot on. This is where I become a little red faced; I was not using a mail client for reading the email. Being lazy I used a text editor to directly pickup the information from the account file, whoops including those strange (MIME) characters. From the sparse inform I sent CAcert support they suggested I use a mail client; spot on they probably realised what I had done. I checked using a mail client confirming my problems were self-inflicted. Note for Xamp users you will have no problems using Mercury mail transport.
Wanting the whole process sequence to be a smooth and uneventful experience when using Uniform Server I decided to include hMailServer. That decision was correct, installed with no problems, easy to set-up and it sits there working. One side effect! I could not resist the temptation to play with a new bit of kit hence the PHP mail function page.
I had several objectives for this project. Primary objective run a secure server with a genuinely free-signed server certificate amply met by CAcert. Secondary objective introduce new material providing real alternatives in particular mail server and a solution to having a dynamic IP address. I met this target using hMailServer this certainly will remain on my PC as for No_IP it does what it is intended to do however because they charge for a wildcard domain its back to DynDNS for me.
I am personally unhappy with the lockdown section, security is of prime importance and I feel this section is to open and general. Would liked to have been specific and state your PC is now secure however for the reasons I provided in the section not a chance.