services/Certificate-Authority.md
... ...
@@ -1,36 +1,9 @@
1 1
# SSL Certificate Authority
2 2
3
-internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains or 172.22.0.0/15 ip addresses.
4
-
5
-The name constraints can be verified for example by using openssl:
6
-```
7
- openssl x509 -in dn42.crt -text -noout
8
-```
9
-which will show among other things:
10
-```
11
- X509v3 Name Constraints:
12
- Permitted:
13
- DNS:.dn42
14
-```
15
-
16
-Certificate fingerprint
17
-```
18
-$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt
19
-SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9
20
-```
21
-
22
-**Test Sites with a bad key**
23
-
24
-The following sites have been setup to demonstrate the key failing when signed for invalid subject alternates.
25
-
26
-[badkey.sour.is](https://badkey.sour.is)
27
-
28
-[badkey.xuu.me](https://badkey.xuu.me)
29
-
30
-[badkey.xuu.dn42](https://badkey.xuu.dn42)
31
-
3
+internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains.
4
+If you would like to have a certificate signed by this CA send a CSR to [email protected]
32 5
33
-If you would like to trust the certificate import the following:
6
+The CA certificate:
34 7
35 8
```
36 9
-----BEGIN CERTIFICATE-----
... ...
@@ -56,9 +29,41 @@ X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw==
56 29
-----END CERTIFICATE-----
57 30
```
58 31
59
-If you would like to have a certificate signed by this CA send a CSR to [email protected]
32
+Certificate fingerprint
33
+```
34
+$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt
35
+SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9
36
+```
37
+
38
+## Testing constraints
39
+
40
+The name constraints can be verified for example by using openssl:
41
+```
42
+ openssl x509 -in dn42.crt -text -noout
43
+```
44
+which will show among other things:
45
+```
46
+ X509v3 Name Constraints:
47
+ Permitted:
48
+ DNS:.dn42
49
+```
50
+
51
+The following sites have been set up to demonstrate the CA failing to sign arbitrary domains:
52
+
53
+* [badkey.sour.is](https://badkey.sour.is)
54
+* [badkey.xuu.me](https://badkey.xuu.me)
55
+* [badkey.xuu.dn42](https://badkey.xuu.dn42)
56
+
57
+They all use the same certificate, that should be regarded invalid by whatever software you use because of
58
+```
59
+ Subject: CN=badkey.sour.is
60
+[...]
61
+ X509v3 Subject Alternative Name:
62
+ DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:badkey.xuu.dn42, DNS:*
63
+
64
+```
60 65
61
-**Import the certificate**
66
+## Importing the certificate
62 67
63 68
- In archlinux you can install the package [ca-certificates-dn42](https://aur.archlinux.org/packages/ca-certificates-dn42) from AUR
64 69
- cacert have a comprehensive FAQ on how to import your own root certificates in [browsers](http://wiki.cacert.org/FAQ/BrowserClients) and [other software](http://wiki.cacert.org/FAQ/ImportRootCert)