ad6f74a3712533c5ac38bb77cf130a8407cb79f1
services/Certificate-Authority.md
... | ... | @@ -3,37 +3,100 @@ |
3 | 3 | internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains. |
4 | 4 | If you would like to have a certificate signed by this CA send a CSR to [email protected] |
5 | 5 | |
6 | -The CA certificate ([link](https://git.dn42/git/dn42/pki/plain/dn42-ca.crt)): |
|
6 | +The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)): |
|
7 | 7 | |
8 | 8 | ``` |
9 | +Certificate: |
|
10 | + Data: |
|
11 | + Version: 3 (0x2) |
|
12 | + Serial Number: 137808117760 (0x2016010000) |
|
13 | + Signature Algorithm: sha256WithRSAEncryption |
|
14 | + Issuer: C=XD, O=dn42, OU=dn42 Certificate Authority, CN=dn42 Root Authority CA |
|
15 | + Validity |
|
16 | + Not Before: Jan 16 00:12:04 2016 GMT |
|
17 | + Not After : Dec 31 23:59:59 2030 GMT |
|
18 | + Subject: C=XD, O=dn42, OU=dn42 Certificate Authority, CN=dn42 Root Authority CA |
|
19 | + Subject Public Key Info: |
|
20 | + Public Key Algorithm: rsaEncryption |
|
21 | + Public-Key: (2048 bit) |
|
22 | + Modulus: |
|
23 | + 00:c1:19:10:de:01:86:11:f1:82:0c:b0:d4:e5:ff: |
|
24 | + 9a:c8:e3:aa:f4:00:08:82:c0:cf:7f:05:7a:21:97: |
|
25 | + c1:b5:8b:a3:d1:54:ee:fa:04:0f:77:d5:5c:98:4b: |
|
26 | + d9:88:18:c1:17:10:92:e5:24:fa:ef:61:eb:5d:7b: |
|
27 | + 11:e5:be:ba:89:f2:60:c9:3b:82:05:3a:74:54:60: |
|
28 | + 23:66:1a:d8:cd:28:7b:f1:ea:55:25:9a:8c:04:a0: |
|
29 | + ff:9d:48:54:4c:9d:bc:2d:a0:df:71:ae:64:47:0d: |
|
30 | + e7:75:05:f4:c5:02:2a:d2:0c:be:a3:63:54:62:2b: |
|
31 | + ad:29:eb:6a:08:a4:5e:a8:eb:f1:52:14:4e:d1:5d: |
|
32 | + 41:2f:d3:19:ba:e4:82:36:7a:d1:a3:f2:84:f6:07: |
|
33 | + b2:f6:0c:30:db:db:76:ee:e9:14:05:c7:8f:75:b7: |
|
34 | + 3f:d5:d5:35:56:d0:92:44:df:26:1e:00:fa:ae:cb: |
|
35 | + 7a:c9:50:67:5d:69:f8:f9:fd:25:a7:1d:db:40:b1: |
|
36 | + 42:bc:45:57:e1:c9:1c:42:ba:69:80:1e:ea:25:99: |
|
37 | + 12:9f:6f:23:a3:d2:2e:4a:cd:15:e4:7c:49:f9:d1: |
|
38 | + c0:f0:19:0c:15:50:ce:a6:51:bb:aa:16:b2:82:ec: |
|
39 | + f4:61:44:8c:1c:dd:65:60:04:77:b0:4d:99:67:17: |
|
40 | + fb:09 |
|
41 | + Exponent: 65537 (0x10001) |
|
42 | + X509v3 extensions: |
|
43 | + X509v3 Key Usage: critical |
|
44 | + Certificate Sign, CRL Sign |
|
45 | + X509v3 Basic Constraints: critical |
|
46 | + CA:TRUE |
|
47 | + X509v3 Subject Key Identifier: |
|
48 | + 54:76:88:B2:C0:B5:30:D0:FC:4F:C9:6D:3B:F9:8C:55:11:AC:15:15 |
|
49 | + X509v3 Authority Key Identifier: |
|
50 | + keyid:54:76:88:B2:C0:B5:30:D0:FC:4F:C9:6D:3B:F9:8C:55:11:AC:15:15 |
|
51 | + |
|
52 | + X509v3 Name Constraints: |
|
53 | + Permitted: |
|
54 | + DNS:.dn42 |
|
55 | + IP:172.20.0.0/255.252.0.0 |
|
56 | + IP:FD42:0:0:0:0:0:0:0/FFFF:0:0:0:0:0:0:0 |
|
57 | + |
|
58 | + Signature Algorithm: sha256WithRSAEncryption |
|
59 | + 5c:a4:3b:41:a0:81:69:e2:71:99:4d:75:4b:5a:20:0d:2a:d9: |
|
60 | + ec:ea:bc:8d:4f:b0:6c:f3:2e:41:1a:a0:75:f3:de:7e:3a:e0: |
|
61 | + a7:b9:db:cd:f5:16:e4:6a:cb:e7:cc:2a:8f:ee:7f:14:0a:a5: |
|
62 | + b5:f9:66:48:81:e5:68:1e:0c:a6:a3:3c:a7:2b:e3:95:cf:e3: |
|
63 | + 63:15:0d:16:09:63:d9:66:31:3b:42:2e:7c:1a:e5:28:8e:5e: |
|
64 | + 3d:9e:28:99:48:e9:47:86:11:e2:04:29:60:2b:96:95:99:ae: |
|
65 | + 3f:ab:ff:3f:45:ab:7e:07:45:4e:4d:0b:18:40:3d:3b:02:9c: |
|
66 | + 4e:a9:0f:a5:c2:3f:4a:30:77:ae:66:5c:b3:8d:b2:41:6b:e2: |
|
67 | + 98:01:7d:e0:6b:52:70:4d:3d:b8:a9:48:f5:02:d2:d9:40:66: |
|
68 | + b6:5e:44:25:11:55:ac:31:02:d7:67:72:6a:6a:bc:74:34:5f: |
|
69 | + 75:dc:9a:4f:83:28:40:e0:2a:dc:3f:41:43:5a:47:07:2b:b7: |
|
70 | + a7:3f:d0:15:a2:42:d7:30:22:f2:f6:e4:b4:f6:3b:38:ca:6b: |
|
71 | + 4c:e7:3c:a4:70:cb:de:af:0a:14:ff:23:25:ca:04:cd:9e:49: |
|
72 | + c3:4b:e4:0a:b5:0b:84:b5:ef:b4:5b:63:07:47:63:cd:5c:50: |
|
73 | + 0b:42:0a:a9 |
|
9 | 74 | -----BEGIN CERTIFICATE----- |
10 | -MIIDhzCCAm+gAwIBAgIJALhBYKXcLej6MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV |
|
11 | -BAMTHURONDIgSW50ZXJuYWwgQ0EgKFVOVkVSSUZJRUQpMB4XDTE0MTIyMDE4NDAw |
|
12 | -NVoXDTI0MTIxNzE4NDAwNVowKDEmMCQGA1UEAxMdRE40MiBJbnRlcm5hbCBDQSAo |
|
13 | -VU5WRVJJRklFRCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDViXIb |
|
14 | -VcWw+tnZCbZuy3ME4vQJsiX5ik5WkqkBaj5vk7zt+Ca8XvaM8cqppb8kEOCkC+MV |
|
15 | -/qp5R2BAukKAAcmACQ9FHx6XYGxMQztU9tTMUuAqWH8JihWjBSoEfBQ9UpJHbgvo |
|
16 | -7AAY382rcaLQJs3QgxtNiUjeblPlAy6AE3TUBEiNwa7MTZ7f2YHbVF/9DpvUZee6 |
|
17 | -KytOalzgbKcuFsquf4vIBtcKav1Qwmdr8eehQHdo8Nxv32uZqd272Q+EInFmzDPu |
|
18 | -KpJdhwc/7S/+ohL/fs6RQphnJvLR572cXTzwEIkFAGqym3Fx30Q7Keoq6Cx46yez |
|
19 | -lwL2k7C82bE4c+//AgMBAAGjgbMwgbAwHQYDVR0OBBYEFNeJoQrHPqh2SMplqb1V |
|
20 | -ac9OWmkiMFgGA1UdIwRRME+AFNeJoQrHPqh2SMplqb1Vac9OWmkioSykKjAoMSYw |
|
21 | -JAYDVQQDEx1ETjQyIEludGVybmFsIENBIChVTlZFUklGSUVEKYIJALhBYKXcLej6 |
|
22 | -MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBQGA1UdHgQNMAugCTAH |
|
23 | -ggUuZG40MjANBgkqhkiG9w0BAQsFAAOCAQEAMqVN55ruWA70znyWMB9+A4BcsFgI |
|
24 | -uFVZIOnJEy72Nsz0VvfEEW/3rxKs0UnLcnfBHlx2WHdD2zUJLiTAf6ziRhXpFPXY |
|
25 | -Ys3RJFE/8ZDVH3+dGOBekJusDX0YQcwXA/NVO2ogM6WIRIz7QabvOIJBaYXu71ZB |
|
26 | -ci29iKFLJ4dsUG69hoeDghwkij2mCR2G/tP+xbrb7xGM73tDjuzmESYlUAVgKtlH |
|
27 | -gfcWBU6anZMFJV9Y2lkNhxw5G7JMDSYsfONskzPet9HeHrmu67EnXMapELCjZL3O |
|
28 | -X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw== |
|
75 | +MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC |
|
76 | +WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0 |
|
77 | +aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx |
|
78 | +NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE |
|
79 | +CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd |
|
80 | +BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA |
|
81 | +A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR |
|
82 | +VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx |
|
83 | +6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS |
|
84 | +FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu |
|
85 | +y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw |
|
86 | +GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P |
|
87 | +AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J |
|
88 | +bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud |
|
89 | +HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA |
|
90 | +//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11 |
|
91 | +S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl |
|
92 | +aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu |
|
93 | +P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI |
|
94 | +9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC |
|
95 | +1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ |
|
96 | +C0IKqQ== |
|
29 | 97 | -----END CERTIFICATE----- |
30 | 98 | ``` |
31 | 99 | |
32 | -Certificate fingerprint |
|
33 | -``` |
|
34 | -$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt |
|
35 | -SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9 |
|
36 | -``` |
|
37 | 100 | |
38 | 101 | ## Testing constraints |
39 | 102 | |
... | ... | @@ -48,26 +111,10 @@ which will show among other things: |
48 | 111 | DNS:.dn42 |
49 | 112 | ``` |
50 | 113 | |
51 | -The following sites have been set up to demonstrate the CA failing to sign arbitrary domains: |
|
52 | - |
|
53 | -* [badkey.sour.is](https://badkey.sour.is) - Host is in HSTS preload with key pinning. The browser should fail because the keypin does not match. |
|
54 | -* [badkey.xuu.me](https://badkey.xuu.me) - Hostname is outside of domain allowed list. |
|
55 | -* [badkey.internal.dn42](https://badkey.internal.dn42) - Valid hostname and keypinned. But certificate contains bad subject alternate names. |
|
56 | - |
|
57 | -They all use the same certificate, that should be regarded invalid by whatever software you use because of |
|
58 | -``` |
|
59 | - Subject: CN=badkey.internal.dn42 |
|
60 | -[...] |
|
61 | - X509v3 Subject Alternative Name: |
|
62 | - DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:badkey.xuu.dn42, DNS: google.com, DNS:*.com, DNS:* |
|
63 | - |
|
64 | -``` |
|
65 | - |
|
66 | 114 | ## Importing the certificate |
67 | 115 | |
68 | -- In archlinux you can install the package [ca-certificates-dn42](https://aur.archlinux.org/packages/ca-certificates-dn42) from AUR |
|
69 | 116 | - cacert have a comprehensive FAQ on how to import your own root certificates in [browsers](http://wiki.cacert.org/FAQ/BrowserClients) and [other software](http://wiki.cacert.org/FAQ/ImportRootCert) |
70 | 117 | |
71 | 118 | ## PKI Store |
72 | 119 | |
73 | -All issued keys are posted in a git repository at: https://dn42.us/git/dn42/pki/tree/ |
|
... | ... | \ No newline at end of file |
0 | +All issued keys and crl information are posted at: https://ca.dn42/ |
|
... | ... | \ No newline at end of file |