services/Certificate-Authority.md
... ...
@@ -3,37 +3,100 @@
3 3
internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains.
4 4
If you would like to have a certificate signed by this CA send a CSR to [email protected]
5 5
6
-The CA certificate ([link](https://git.dn42/git/dn42/pki/plain/dn42-ca.crt)):
6
+The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)):
7 7
8 8
```
9
+Certificate:
10
+ Data:
11
+ Version: 3 (0x2)
12
+ Serial Number: 137808117760 (0x2016010000)
13
+ Signature Algorithm: sha256WithRSAEncryption
14
+ Issuer: C=XD, O=dn42, OU=dn42 Certificate Authority, CN=dn42 Root Authority CA
15
+ Validity
16
+ Not Before: Jan 16 00:12:04 2016 GMT
17
+ Not After : Dec 31 23:59:59 2030 GMT
18
+ Subject: C=XD, O=dn42, OU=dn42 Certificate Authority, CN=dn42 Root Authority CA
19
+ Subject Public Key Info:
20
+ Public Key Algorithm: rsaEncryption
21
+ Public-Key: (2048 bit)
22
+ Modulus:
23
+ 00:c1:19:10:de:01:86:11:f1:82:0c:b0:d4:e5:ff:
24
+ 9a:c8:e3:aa:f4:00:08:82:c0:cf:7f:05:7a:21:97:
25
+ c1:b5:8b:a3:d1:54:ee:fa:04:0f:77:d5:5c:98:4b:
26
+ d9:88:18:c1:17:10:92:e5:24:fa:ef:61:eb:5d:7b:
27
+ 11:e5:be:ba:89:f2:60:c9:3b:82:05:3a:74:54:60:
28
+ 23:66:1a:d8:cd:28:7b:f1:ea:55:25:9a:8c:04:a0:
29
+ ff:9d:48:54:4c:9d:bc:2d:a0:df:71:ae:64:47:0d:
30
+ e7:75:05:f4:c5:02:2a:d2:0c:be:a3:63:54:62:2b:
31
+ ad:29:eb:6a:08:a4:5e:a8:eb:f1:52:14:4e:d1:5d:
32
+ 41:2f:d3:19:ba:e4:82:36:7a:d1:a3:f2:84:f6:07:
33
+ b2:f6:0c:30:db:db:76:ee:e9:14:05:c7:8f:75:b7:
34
+ 3f:d5:d5:35:56:d0:92:44:df:26:1e:00:fa:ae:cb:
35
+ 7a:c9:50:67:5d:69:f8:f9:fd:25:a7:1d:db:40:b1:
36
+ 42:bc:45:57:e1:c9:1c:42:ba:69:80:1e:ea:25:99:
37
+ 12:9f:6f:23:a3:d2:2e:4a:cd:15:e4:7c:49:f9:d1:
38
+ c0:f0:19:0c:15:50:ce:a6:51:bb:aa:16:b2:82:ec:
39
+ f4:61:44:8c:1c:dd:65:60:04:77:b0:4d:99:67:17:
40
+ fb:09
41
+ Exponent: 65537 (0x10001)
42
+ X509v3 extensions:
43
+ X509v3 Key Usage: critical
44
+ Certificate Sign, CRL Sign
45
+ X509v3 Basic Constraints: critical
46
+ CA:TRUE
47
+ X509v3 Subject Key Identifier:
48
+ 54:76:88:B2:C0:B5:30:D0:FC:4F:C9:6D:3B:F9:8C:55:11:AC:15:15
49
+ X509v3 Authority Key Identifier:
50
+ keyid:54:76:88:B2:C0:B5:30:D0:FC:4F:C9:6D:3B:F9:8C:55:11:AC:15:15
51
+
52
+ X509v3 Name Constraints:
53
+ Permitted:
54
+ DNS:.dn42
55
+ IP:172.20.0.0/255.252.0.0
56
+ IP:FD42:0:0:0:0:0:0:0/FFFF:0:0:0:0:0:0:0
57
+
58
+ Signature Algorithm: sha256WithRSAEncryption
59
+ 5c:a4:3b:41:a0:81:69:e2:71:99:4d:75:4b:5a:20:0d:2a:d9:
60
+ ec:ea:bc:8d:4f:b0:6c:f3:2e:41:1a:a0:75:f3:de:7e:3a:e0:
61
+ a7:b9:db:cd:f5:16:e4:6a:cb:e7:cc:2a:8f:ee:7f:14:0a:a5:
62
+ b5:f9:66:48:81:e5:68:1e:0c:a6:a3:3c:a7:2b:e3:95:cf:e3:
63
+ 63:15:0d:16:09:63:d9:66:31:3b:42:2e:7c:1a:e5:28:8e:5e:
64
+ 3d:9e:28:99:48:e9:47:86:11:e2:04:29:60:2b:96:95:99:ae:
65
+ 3f:ab:ff:3f:45:ab:7e:07:45:4e:4d:0b:18:40:3d:3b:02:9c:
66
+ 4e:a9:0f:a5:c2:3f:4a:30:77:ae:66:5c:b3:8d:b2:41:6b:e2:
67
+ 98:01:7d:e0:6b:52:70:4d:3d:b8:a9:48:f5:02:d2:d9:40:66:
68
+ b6:5e:44:25:11:55:ac:31:02:d7:67:72:6a:6a:bc:74:34:5f:
69
+ 75:dc:9a:4f:83:28:40:e0:2a:dc:3f:41:43:5a:47:07:2b:b7:
70
+ a7:3f:d0:15:a2:42:d7:30:22:f2:f6:e4:b4:f6:3b:38:ca:6b:
71
+ 4c:e7:3c:a4:70:cb:de:af:0a:14:ff:23:25:ca:04:cd:9e:49:
72
+ c3:4b:e4:0a:b5:0b:84:b5:ef:b4:5b:63:07:47:63:cd:5c:50:
73
+ 0b:42:0a:a9
9 74
-----BEGIN CERTIFICATE-----
10
-MIIDhzCCAm+gAwIBAgIJALhBYKXcLej6MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
11
-BAMTHURONDIgSW50ZXJuYWwgQ0EgKFVOVkVSSUZJRUQpMB4XDTE0MTIyMDE4NDAw
12
-NVoXDTI0MTIxNzE4NDAwNVowKDEmMCQGA1UEAxMdRE40MiBJbnRlcm5hbCBDQSAo
13
-VU5WRVJJRklFRCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDViXIb
14
-VcWw+tnZCbZuy3ME4vQJsiX5ik5WkqkBaj5vk7zt+Ca8XvaM8cqppb8kEOCkC+MV
15
-/qp5R2BAukKAAcmACQ9FHx6XYGxMQztU9tTMUuAqWH8JihWjBSoEfBQ9UpJHbgvo
16
-7AAY382rcaLQJs3QgxtNiUjeblPlAy6AE3TUBEiNwa7MTZ7f2YHbVF/9DpvUZee6
17
-KytOalzgbKcuFsquf4vIBtcKav1Qwmdr8eehQHdo8Nxv32uZqd272Q+EInFmzDPu
18
-KpJdhwc/7S/+ohL/fs6RQphnJvLR572cXTzwEIkFAGqym3Fx30Q7Keoq6Cx46yez
19
-lwL2k7C82bE4c+//AgMBAAGjgbMwgbAwHQYDVR0OBBYEFNeJoQrHPqh2SMplqb1V
20
-ac9OWmkiMFgGA1UdIwRRME+AFNeJoQrHPqh2SMplqb1Vac9OWmkioSykKjAoMSYw
21
-JAYDVQQDEx1ETjQyIEludGVybmFsIENBIChVTlZFUklGSUVEKYIJALhBYKXcLej6
22
-MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBQGA1UdHgQNMAugCTAH
23
-ggUuZG40MjANBgkqhkiG9w0BAQsFAAOCAQEAMqVN55ruWA70znyWMB9+A4BcsFgI
24
-uFVZIOnJEy72Nsz0VvfEEW/3rxKs0UnLcnfBHlx2WHdD2zUJLiTAf6ziRhXpFPXY
25
-Ys3RJFE/8ZDVH3+dGOBekJusDX0YQcwXA/NVO2ogM6WIRIz7QabvOIJBaYXu71ZB
26
-ci29iKFLJ4dsUG69hoeDghwkij2mCR2G/tP+xbrb7xGM73tDjuzmESYlUAVgKtlH
27
-gfcWBU6anZMFJV9Y2lkNhxw5G7JMDSYsfONskzPet9HeHrmu67EnXMapELCjZL3O
28
-X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw==
75
+MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
76
+WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
77
+aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
78
+NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
79
+CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
80
+BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
81
+A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
82
+VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
83
+6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
84
+FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
85
+y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
86
+GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
87
+AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
88
+bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
89
+HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
90
+//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
91
+S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
92
+aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
93
+P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
94
+9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
95
+1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
96
+C0IKqQ==
29 97
-----END CERTIFICATE-----
30 98
```
31 99
32
-Certificate fingerprint
33
-```
34
-$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt
35
-SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9
36
-```
37 100
38 101
## Testing constraints
39 102
... ...
@@ -48,26 +111,10 @@ which will show among other things:
48 111
DNS:.dn42
49 112
```
50 113
51
-The following sites have been set up to demonstrate the CA failing to sign arbitrary domains:
52
-
53
-* [badkey.sour.is](https://badkey.sour.is) - Host is in HSTS preload with key pinning. The browser should fail because the keypin does not match.
54
-* [badkey.xuu.me](https://badkey.xuu.me) - Hostname is outside of domain allowed list.
55
-* [badkey.internal.dn42](https://badkey.internal.dn42) - Valid hostname and keypinned. But certificate contains bad subject alternate names.
56
-
57
-They all use the same certificate, that should be regarded invalid by whatever software you use because of
58
-```
59
- Subject: CN=badkey.internal.dn42
60
-[...]
61
- X509v3 Subject Alternative Name:
62
- DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:badkey.xuu.dn42, DNS: google.com, DNS:*.com, DNS:*
63
-
64
-```
65
-
66 114
## Importing the certificate
67 115
68
-- In archlinux you can install the package [ca-certificates-dn42](https://aur.archlinux.org/packages/ca-certificates-dn42) from AUR
69 116
- cacert have a comprehensive FAQ on how to import your own root certificates in [browsers](http://wiki.cacert.org/FAQ/BrowserClients) and [other software](http://wiki.cacert.org/FAQ/ImportRootCert)
70 117
71 118
## PKI Store
72 119
73
-All issued keys are posted in a git repository at: https://dn42.us/git/dn42/pki/tree/
... ...
\ No newline at end of file
0
+All issued keys and crl information are posted at: https://ca.dn42/
... ...
\ No newline at end of file