d09403751d36268f973901f5dc9887570b971d6f
services/Certificate-Authority.md
... | ... | @@ -1,36 +1,9 @@ |
1 | 1 | # SSL Certificate Authority |
2 | 2 | |
3 | -internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains or 172.22.0.0/15 ip addresses. |
|
4 | - |
|
5 | -The name constraints can be verified for example by using openssl: |
|
6 | -``` |
|
7 | - openssl x509 -in dn42.crt -text -noout |
|
8 | -``` |
|
9 | -which will show among other things: |
|
10 | -``` |
|
11 | - X509v3 Name Constraints: |
|
12 | - Permitted: |
|
13 | - DNS:.dn42 |
|
14 | -``` |
|
15 | - |
|
16 | -Certificate fingerprint |
|
17 | -``` |
|
18 | -$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt |
|
19 | -SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9 |
|
20 | -``` |
|
21 | - |
|
22 | -**Test Sites with a bad key** |
|
23 | - |
|
24 | -The following sites have been setup to demonstrate the key failing when signed for invalid subject alternates. |
|
25 | - |
|
26 | -[badkey.sour.is](https://badkey.sour.is) |
|
27 | - |
|
28 | -[badkey.xuu.me](https://badkey.xuu.me) |
|
29 | - |
|
30 | -[badkey.xuu.dn42](https://badkey.xuu.dn42) |
|
31 | - |
|
3 | +internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains. |
|
4 | +If you would like to have a certificate signed by this CA send a CSR to [email protected] |
|
32 | 5 | |
33 | -If you would like to trust the certificate import the following: |
|
6 | +The CA certificate: |
|
34 | 7 | |
35 | 8 | ``` |
36 | 9 | -----BEGIN CERTIFICATE----- |
... | ... | @@ -56,9 +29,41 @@ X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw== |
56 | 29 | -----END CERTIFICATE----- |
57 | 30 | ``` |
58 | 31 | |
59 | -If you would like to have a certificate signed by this CA send a CSR to [email protected] |
|
32 | +Certificate fingerprint |
|
33 | +``` |
|
34 | +$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt |
|
35 | +SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9 |
|
36 | +``` |
|
37 | + |
|
38 | +## Testing constraints |
|
39 | + |
|
40 | +The name constraints can be verified for example by using openssl: |
|
41 | +``` |
|
42 | + openssl x509 -in dn42.crt -text -noout |
|
43 | +``` |
|
44 | +which will show among other things: |
|
45 | +``` |
|
46 | + X509v3 Name Constraints: |
|
47 | + Permitted: |
|
48 | + DNS:.dn42 |
|
49 | +``` |
|
50 | + |
|
51 | +The following sites have been set up to demonstrate the CA failing to sign arbitrary domains: |
|
52 | + |
|
53 | +* [badkey.sour.is](https://badkey.sour.is) |
|
54 | +* [badkey.xuu.me](https://badkey.xuu.me) |
|
55 | +* [badkey.xuu.dn42](https://badkey.xuu.dn42) |
|
56 | + |
|
57 | +They all use the same certificate, that should be regarded invalid by whatever software you use because of |
|
58 | +``` |
|
59 | + Subject: CN=badkey.sour.is |
|
60 | +[...] |
|
61 | + X509v3 Subject Alternative Name: |
|
62 | + DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:badkey.xuu.dn42, DNS:* |
|
63 | + |
|
64 | +``` |
|
60 | 65 | |
61 | -**Import the certificate** |
|
66 | +## Importing the certificate |
|
62 | 67 | |
63 | 68 | - In archlinux you can install the package [ca-certificates-dn42](https://aur.archlinux.org/packages/ca-certificates-dn42) from AUR |
64 | 69 | - cacert have a comprehensive FAQ on how to import your own root certificates in [browsers](http://wiki.cacert.org/FAQ/BrowserClients) and [other software](http://wiki.cacert.org/FAQ/ImportRootCert) |