Signed Certificate Project
Uniform Server 3.5-Apollo


Introduction

There are several areas not covered in my original SSL write-up thought I would address this issue with one large project. The prime objective is to obtain a signed certificate for use with a secure server. Until you obtain your signed certificate most write-ups take the easy option and suggest a self-signed certificate will be adequate. Trouble is they never take you through the steps to obtain one. SSl part 2 addresses this by providing a complete step-by-step guide.

Cost

A significant factor is one of cost this has been addressed by CAcert. They are a professional organisation on the side of the Internet community and offer free certificates. They have fought and won several major battles to bring encryption as a right to the masses. Hopefully this year they will succeed in getting their root certificate into Firefox. Both parties are security conscious with end users in mind hence can only benefit us all.

Security

Leading on from the security point of view I have never covered locking down your PC. There are several things you can do to improve what exists as default.

Biased

It has been suggested I am biased towards DynDNS not true this project includes a No-IP account, which I hope addresses the balance.

Mail Server

CAcert’s verification process requires you to have a mail server running at your IP address. During testing I discovered OM3 failed CAcert’s mail probe test (probably because it’s still in beta) however Mercury mail transport system performed flawlessly. This project uses hMailServer simply because I have never covered or used it.

New Material

This project is an extension of mod SSL part 1 write-up where I actually suggested using self-signed certificates hence this project. I have included a lot of new material, which should be of some use.

Reading Order

Reading order is easy, follow the links and skip any section you are confident with. The only point worthy of note substitute your domain name whenever you come across mpg123.no-ip.org I tried to get UniCenter however that was taken shame that.

Top

Real Cost

Unless you wish to donate to the above projects there is no real financial cost involved. The real cost is making sure you have taken all steps to secure your server in particular securing your signed certificate from CAcert. If for any reason your server is compromised it is imperative to revoke your server certificate at CAcert and remove your domain name from No-IP. This will help limit some of the damage and possible identity fraud.

I am assuming you are not using any of the above for financial transactions remember all security is your personal responsibility and with that personal liability.

Top

Topics Covered

A detailed lists of topics covered:

1) PC Lock Down     2) No-IP

How to increase the security of Windows XP Home.

  1. Introduction: Intro and security
  2. Security: Windows is difficult to secure.
  3. Scared: Presses the point home if no action taken.
  4. Router and NAT: - First line of defence.
  5. Firewall and AV software, : - Stresses the need for these software packages.
  6. Disable Unnecessary Services: - Some insecure services to disable.
  7. Gibson Reasearch: Give that so call secure PC a full check at this site.
  8. Step back: The only question you need to ask and resolve!
  9. Summary: Leading onto No-IP.
   

For this project you require a domain name, if you do not have one create a free one at No-IP

  1. Introduction: Need for a domain name
  2. Create account and domain name: Set-up and use your free account.
  3. Install their client software: Track your dynamic IP address.
  4. Summary : Leading onto hMailServer.
3) Installing hMailServer     4) Configuring hMailServer

A step-by-step installation guide.

  1. Introduction: Intro to hMailServer
  2. hMailServer: Download and install steps
  3. Summary: Leading onto hMailServer configuration.
   

A step-by-step configuration guide..

  1. Introduction: Need for a mail server.
  2. Configuration: Eleven steps to a fully working mail server.
  3. Mail Client: - Set-up a client for testing.
  4. Testing: - How to test the mail server.
  5. Summary: Leading onto PHP mail function.
5) PHP mail function     6) Generate CSR

Hidden mini-smtp server!

  1. Introduction: Intro to the function problem
  2. Basic PHP mail function: Example using the basic PHP mail function.
  3. Basic PHP mail function - Problem: Example to highlight the problem and a partialsolution.
  4. Basic PHP mail function - Reply address: - Complete solution
  5. Summary: Back on track leading onto CSR.
   

A CSR (Certificate signing request) is required to obtain a signed certificate..

  1. Introduction: Intro CSR
  2. Preperation: Delete the old files
  3. Creating a key, certificate and CSR: - Create new files required
  4. Copy the Certificate and Key: - Copy files to server location
  5. Test: Make sure the certicicates work.
  6. Summary: Leading onto CAcert.
7) CAcert Introduction     8) CAcert Introduction

A CA to sign your certificate.

  1. Introduction: Intro toCAcert
  2. Process Overview: Three steps to obtaing a signed certificate.
  3. Step 1) Join CAcert: - How to register an account at CAcert.
  4. Step 2) Registering a domain: - How to register your domain required for signing a certificate.
  5. General Notes: - Alternative mail server.
  6. Summary: Leading onto signing your certificate.
   

How to get your certificate signed.

  1. Introduction
  2. CAcert Signing Process: Quick Intro
  3. Step 3) Signing Process: Nothing complex just copy and paste.
  4. Real world experience: - Self-inflicted problems.
  5. Conclusion: - Some thoughts to finish with

Top

Summary

Feel free to pick and mix the above nothing is written in stone, security is all-important I strongly recommend a visit to the Gibson research site, which is covered, on the next page.

Top


  Ric