CAcert
Overview
This page contains information about CAcert.org in general, and stuff that is important for me as an assurer.
TODO
- Get an overview of the structure of CAcert, i.e. what teams are there, how are they related, etc. (diagram?). A good starting point might be the 2008/2009 team report.
- Get an overview of the various pieces of infrastructure, i.e. main website, blog, wiki, etc.
- Decide whether it is desirable to join as a CAcert member (and what the responsibilities would be)
References
Main site
Wiki
CAcert assurer handbook
- http://wiki.cacert.org/wiki/AssuranceHandbook2
- has a number of references to other documents
- has details about the Assurance process, especially about naming problems
- elaborates on arbitration
CAcert assurer training (slideshow-style document)
- http://svn.cacert.org/CAcert/Education/Assurer%20Education%20(e).pdf
- contains broad information about CAcert and digital certificates
- reviews the process how to become an assurer, and focuses on the Assurance process itself
- also contains a section about founding a CAcert Office
CAcert CPS and CP document
Assurance Policy
Organisation Assurance Policy
- http://www.cacert.org/policy/OrganisationAssurancePolicy.php
- describes how Organisation Assurers (OAs) conduct Assurances on Organisations
CAcert Community Agreement (CCA)
Acceptable Documents in Switzerland
Other interesting links
- Statistics per country on the Web of Trust: https://secure.cacert.org/wot.php?id=1
- See pending and past motions of the board: https://community.cacert.org/board/motions.php
- Blog: http://blog.cacert.org/
Mailing Lists
- List of lists: https://lists.cacert.org/wws/lists
- cacert@lists.cacert.org - general discussion & announcements
- cacert-board@lists.cacert.org - CAcert Board communications
- This is the public list of the CAcert board. Posts here will be public in the principles of open governance.
- Archive: https://lists.cacert.org/wws/arc/cacert-board
- cacert-devel@lists.cacert.org
- CAcert Code Development list.
- Archive: https://lists.cacert.org/wws/arc/cacert-devel
- cacert-disputes@lists.cacert.org - CAcert Case Managers (Disputes)
- This list is a list managed by the case managers and arbitrators of CAcert. Please put your private post here to file a dispute.
- Archive: Private
- cacert-policy@lists.cacert.org - Policy-Discussion
- cacert-support@lists.cacert.org - CAcert General support list
- This is the first level support of www.CAcert.org & related activities.
- Archive: https://lists.cacert.org/wws/arc/cacert-support
- cacert-sysadm@lists.cacert.org - CAcert System Admins discussion list
- This is a list with a specific system administration theme.
- Archive: https://lists.cacert.org/wws/arc/cacert-sysadm
- cacert-systemlog@lists.cacert.org - audit log for critical system admin events
- This list is purely meant for logging events related to the operation of CAcert's critical servers, including physical access to the location. It is not meant as a discussion forum.
- Archive: https://lists.cacert.org/wws/arc/cacert-systemlog
Glossary
- WOT
- Web of Trust
- CPS
- Certification Practice Statement
- CP
- Certificate Policy
- CCA
- CAcert Community Agreement
- OAP
- Organisation Assurance Policy
- CATS
- CAcert Training System
- ATE
- Assurer Training Event
- BirdShack
- Project name for the proposed complete rewrite of the CAcert software (link)
- CARS
- CAcert Assurers Reliable Statement
CAcert Root Certificates
Getting the certificates
The public root certificates of CAcert.org can be obtained from this page (use the PEM variants):
https://www.cacert.org/index.php?id=3
At the time of writing there are 2 root certificates available:
- a class 1 root certificate
- a class 3 root certificate; this one is signed by the class 1 root certificate
As per Wikipedia:
- class 1 root certificates are for email
- class 3 root certificates are for server certificates and software signing
Adding certificates to the Debian system-wide trust store
On Debian systems, the CAcert root certificates used to be provided by the package ca-certificates. Unfortunately this is no longer the case because Debian decided to exclusively use the Mozilla trust store, which famously excludes CAcert. Debian is flexible enough, though, so that custom certificates can be added to the system-wide trust store. To do so the CAcert certificates must first be placed into this folder:
/usr/local/share/ca-certificates
I like to store the two certificates under the following names:
cacert.org_root.crt cacert.org_class3.crt
Note: If you try to download the certificates from the CAcert website on the same system that you intend to modify, you will have a bootstrap problem because CAcert offers the certificates for download via HTTPS only, but curl or wget or whatever download tool you are using will not trust the certificate offered by the CAcert website. To circumvent this you can tell the download tool not to check the certificate. The command line option for wget is this:
wget --no-check-certificate URL
WARNING: This is dangerous because someone could act as man-in-the-middle and cause your download tool to fetch a fake certificate. Therefore make sure to verify the certificate's fingerprint after the download!
After installing the two certificates, the next step is to run update-ca-certificate: This utility notices the two new certificates and adds them to the system-wide trust store (here are the details).
As far as I know, no part of my Linux box requires the CAcert certificates to be present in the trust store. The certificates are required, though, for creating a certificate chain file that is used by server processes to offer the entire certificate chain to clients.
Certificate chain file
On Debian, create a so-called certificate chain file in the following way:
cd /etc/ssl/certs rm cacert.org.certchain cat /usr/local/share/ca-certificates/cacert.org_class3.crt >>cacert.org.certchain cat /usr/local/share/ca-certificates/cacert.org_root.crt >>cacert.org.certchain
Note: The certificates in the chain file should appear in the order of the certificate chain order, i.e. the root certificate that was used to sign the server certificate should appear first. I have not tested what happens if this is not the case, but I guess it will affect browsers.
Sample application:
- The chain file is used, for instance, by the Apache web server (see Apache)
- When a client requests the server certificate (which is signed by the class 3 CAcert.org root certificate), the server not only hands out the server certificate, but also provides the root certificates in the chain file
- If the client trusts one of the CAcert.org root certificates, it will thereby automatically trust the server certificate, too
Questions And Answers
- What is a digital signature?
- A digital signature is a hash value of the document encrypted by the private key of the signer (definition taken from the CAcert assurer handbook)
CAcert Assurer Challenge
Wiki page of the challenge
Step-by-step procedure (using Firefox 3):
- Log in to CATS: https://cats.cacert.org/
- the browser asks you to select the certificate that should be presented to the CATS server
- you need to enter the certificate master password if this is the first time that you access the certificate after the browser has started
- the browser asks once more for the certificate, possibly because it got another challenge from CATS; note that from now on the browser will repeatedly ask for the certificate; I am not going to mention this anymore, simply select the appropriate certificate each time
- once CATS has accepted the certificate, you still have to login (click the "login" link)
- if it's the first time that you try to login, CATS will tell you that you need to register
- once you are logged in, you can browse around the site (it's all fairly straightforward) and do the test whenever you like
Notes about the test:
- the test consists of 25 questions
- most of the questions are multiple choice
- at least 80% of the questions must be answered correctly to pass the test
- the test may be retried an unlimited number of times (even after passing it); each time a different set of 25 questions is presented, apparently in random order
Passing the test:
- once you pass the test, you are entitled to request a printed or PDF "certificate of achievement"
- send an email to education@cacert.org, saying whether you want the printed or the PDF version
- the email must be signed with the certificate used to do the test
Server certificates
The form to sign CSRs can be found here
https://www.cacert.org/account.php?id=10
Paste the CSR into the form, then sign it (by the class 3 root certificate, which is selected by default in the Web form) and thereby generate the certificate. The certificate can be copied and pasted into a certificate file. That file should be stored in
/etc/ssl/certs
Client certificates
This section describes how to create a client certificate on cacert.org and import it into a web browser (Firefox 3 in my case). Once you have created the certificate, it can be managed (renew, revoke, delete) on the cacert.org web site.
Certificate creation:
- login on cacert.org, then select "client certificates" -> new
- on the following screen, enter the following information
- select the email address that the certificate should be for, then click the "add" checkbox next to that email address
- sign by class 1 root certificate
- select "include <my name>" (instead of "no name")
- check "Enable certificate login with this certificate"
- click "next", and on the next page select keysize = high grade
- click "create certificate request" and enter the certificate master password to create the certificate
Certificate installation:
- click "click here" to install the certificate
- the private key is now generated by the browser and kept in the browser's key store
- the private key is not on the CAcert server, nor anywhere else
- the private key is protected by the certificate master password entered above
Certificate backup (Firefox 3):
- open Preferences dialog
- click the "Advanced" button
- select "Encryption" tab
- click button "View Certificates"
- select "Your Certificates" tab
- select the client certificate to backup, then click the "Backup..." button
- enter a file name, then enter the certificate master password
- enter the certificate backup password
- the file saved is a "PKCS12" file and has extension ".p12"
- the extension seems to be an official one: on Mac OS X, double clicking the file opens Keychain Access.app