d09403751d36268f973901f5dc9887570b971d6f
services/Certificate-Authority.md
| ... | ... | @@ -1,36 +1,9 @@ |
| 1 | 1 | # SSL Certificate Authority |
| 2 | 2 | |
| 3 | -internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains or 172.22.0.0/15 ip addresses. |
|
| 4 | - |
|
| 5 | -The name constraints can be verified for example by using openssl: |
|
| 6 | -``` |
|
| 7 | - openssl x509 -in dn42.crt -text -noout |
|
| 8 | -``` |
|
| 9 | -which will show among other things: |
|
| 10 | -``` |
|
| 11 | - X509v3 Name Constraints: |
|
| 12 | - Permitted: |
|
| 13 | - DNS:.dn42 |
|
| 14 | -``` |
|
| 15 | - |
|
| 16 | -Certificate fingerprint |
|
| 17 | -``` |
|
| 18 | -$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt |
|
| 19 | -SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9 |
|
| 20 | -``` |
|
| 21 | - |
|
| 22 | -**Test Sites with a bad key** |
|
| 23 | - |
|
| 24 | -The following sites have been setup to demonstrate the key failing when signed for invalid subject alternates. |
|
| 25 | - |
|
| 26 | -[badkey.sour.is](https://badkey.sour.is) |
|
| 27 | - |
|
| 28 | -[badkey.xuu.me](https://badkey.xuu.me) |
|
| 29 | - |
|
| 30 | -[badkey.xuu.dn42](https://badkey.xuu.dn42) |
|
| 31 | - |
|
| 3 | +internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains. |
|
| 4 | +If you would like to have a certificate signed by this CA send a CSR to [email protected] |
|
| 32 | 5 | |
| 33 | -If you would like to trust the certificate import the following: |
|
| 6 | +The CA certificate: |
|
| 34 | 7 | |
| 35 | 8 | ``` |
| 36 | 9 | -----BEGIN CERTIFICATE----- |
| ... | ... | @@ -56,9 +29,41 @@ X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw== |
| 56 | 29 | -----END CERTIFICATE----- |
| 57 | 30 | ``` |
| 58 | 31 | |
| 59 | -If you would like to have a certificate signed by this CA send a CSR to [email protected] |
|
| 32 | +Certificate fingerprint |
|
| 33 | +``` |
|
| 34 | +$ openssl x509 -sha256 -fingerprint -noout -in dn42.crt |
|
| 35 | +SHA256 Fingerprint=8C:8E:C1:12:DB:85:3E:59:CB:1A:DF:90:74:A4:0C:83:B5:ED:57:1E:BC:06:E0:0D:80:B3:47:68:11:77:E1:C9 |
|
| 36 | +``` |
|
| 37 | + |
|
| 38 | +## Testing constraints |
|
| 39 | + |
|
| 40 | +The name constraints can be verified for example by using openssl: |
|
| 41 | +``` |
|
| 42 | + openssl x509 -in dn42.crt -text -noout |
|
| 43 | +``` |
|
| 44 | +which will show among other things: |
|
| 45 | +``` |
|
| 46 | + X509v3 Name Constraints: |
|
| 47 | + Permitted: |
|
| 48 | + DNS:.dn42 |
|
| 49 | +``` |
|
| 50 | + |
|
| 51 | +The following sites have been set up to demonstrate the CA failing to sign arbitrary domains: |
|
| 52 | + |
|
| 53 | +* [badkey.sour.is](https://badkey.sour.is) |
|
| 54 | +* [badkey.xuu.me](https://badkey.xuu.me) |
|
| 55 | +* [badkey.xuu.dn42](https://badkey.xuu.dn42) |
|
| 56 | + |
|
| 57 | +They all use the same certificate, that should be regarded invalid by whatever software you use because of |
|
| 58 | +``` |
|
| 59 | + Subject: CN=badkey.sour.is |
|
| 60 | +[...] |
|
| 61 | + X509v3 Subject Alternative Name: |
|
| 62 | + DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:badkey.xuu.dn42, DNS:* |
|
| 63 | + |
|
| 64 | +``` |
|
| 60 | 65 | |
| 61 | -**Import the certificate** |
|
| 66 | +## Importing the certificate |
|
| 62 | 67 | |
| 63 | 68 | - In archlinux you can install the package [ca-certificates-dn42](https://aur.archlinux.org/packages/ca-certificates-dn42) from AUR |
| 64 | 69 | - cacert have a comprehensive FAQ on how to import your own root certificates in [browsers](http://wiki.cacert.org/FAQ/BrowserClients) and [other software](http://wiki.cacert.org/FAQ/ImportRootCert) |