CACert.org, OpenSSL & SSL Certificates.

SSL works by way of certificates. A CA (Certificate Authority) has a private key which they can then use to sign other certificates.

If a self-signed certificate from the CA is made available to somebody who wishes to check any given certificate, that client can use the self-signed certificate to validate the signature on any other certificate signed by the CA.

This is hierarchical, so as long as the root certificate is made available, an arbitrary chain of certificates rooted with the CA can be ‘automatically’ verified.

CAcert.org is one such root CA. Unfortunately, their root certificate is not included by default in most applications, but it’s usually pretty simple to add.
Once added, any certificates they have signed will automatically be verified.

First of all, we need to have our personal account on CACert website, so we need to be registered as CACert Users.

Assuming we’ve bought a domain, for example mydomain.ext, now we want to generate a Server Certificate for it, and for its subdomains like www.mydomain.ext.

 

The first step is to prove that we own the domain, so in CACert Option Panel we have to click on “Domains” -> “Add” and enter the domain name.
CAcert.org seem to do some DNS checks and offer the email addresses of the registered admins, but we will also have the possibility to choose root@, hostmaster@, postmaster@, web master@ or admin@ domain.
Once we’ve chosen the address, we’ll receive an email with an activation link to be followed to prove that we own the domain.

 

After completing this task, we need to generate a Private Key and a Certificate Signing Request (CSR).

openssl req -nodes -new -keyout mydomain.ext.key \
 -out mydomain.ext.csr

The OpenSSL toolkit will ask some questions about the certificate. Most of this information is ignored by CAcert.org but the CommonName is extremely important: this is where you entered the fully-qualified domain name of the server you want a certificate for (ex.: www.mydomain.ext or *.mydomain.ext).

 

To get a signed certificate from CAcert.org, we have to simply choose “Server certificates” -> “New” and paste-in the contents of the mydomain.ext.csr file. We can then copy the signed server certificate from CACert website (will be displayed shortly, after our request) inside a new file, called mydomain.ext.crt.

 

Probably we would like to verify the Signed Server Certificate, to do this we can use again the OpenSSL Toolkit:

1. Download CACert root certificate:

wget http://www.cacert.org/certs/root.crt \
 -O CACert_root.crt

2. Verify mydomain.ext certificate:

openssl verify -CAfile CACert_root.crt \
 -purpose sslserver mydomain.ext.crt

If everything has been done correctly, we will have a “OK” reply from the command, so we will be ready to use the domain certificate in the needed service (for example, Apache, Postfix, Dovecot and so on).


Comments are closed.