CAcert

Overview

This page contains information about CAcert.org in general, and stuff that is important for me as an assurer.


TODO

  • Get an overview of the structure of CAcert, i.e. what teams are there, how are they related, etc. (diagram?). A good starting point might be the 2008/2009 team report.
  • Get an overview of the various pieces of infrastructure, i.e. main website, blog, wiki, etc.
  • Decide whether it is desirable to join as a CAcert member (and what the responsibilities would be)


References

Main site

Wiki

CAcert assurer handbook

CAcert assurer training (slideshow-style document)

CAcert CPS and CP document

Assurance Policy

Organisation Assurance Policy

CAcert Community Agreement (CCA)

Acceptable Documents in Switzerland

Other interesting links

Mailing Lists


Glossary

WOT 
Web of Trust
CPS 
Certification Practice Statement
CP 
Certificate Policy
CCA 
CAcert Community Agreement
OAP 
Organisation Assurance Policy
CATS 
CAcert Training System
ATE 
Assurer Training Event
BirdShack 
Project name for the proposed complete rewrite of the CAcert software (link)
CARS 
CAcert Assurers Reliable Statement


CAcert Root Certificates

Getting the certificates

The public root certificates of CAcert.org can be obtained from this page (use the PEM variants):

https://www.cacert.org/index.php?id=3

At the time of writing there are 2 root certificates available:

  • a class 1 root certificate
  • a class 3 root certificate; this one is signed by the class 1 root certificate

As per Wikipedia:

  • class 1 root certificates are for email
  • class 3 root certificates are for server certificates and software signing


Adding certificates to the Debian system-wide trust store

On Debian systems, the CAcert root certificates used to be provided by the package ca-certificates. Unfortunately this is no longer the case because Debian decided to exclusively use the Mozilla trust store, which famously excludes CAcert. Debian is flexible enough, though, so that custom certificates can be added to the system-wide trust store. To do so the CAcert certificates must first be placed into this folder:

/usr/local/share/ca-certificates

I like to store the two certificates under the following names:

cacert.org_root.crt
cacert.org_class3.crt

Note: If you try to download the certificates from the CAcert website on the same system that you intend to modify, you will have a bootstrap problem because CAcert offers the certificates for download via HTTPS only, but curl or wget or whatever download tool you are using will not trust the certificate offered by the CAcert website. To circumvent this you can tell the download tool not to check the certificate. The command line option for wget is this:

wget --no-check-certificate URL

WARNING: This is dangerous because someone could act as man-in-the-middle and cause your download tool to fetch a fake certificate. Therefore make sure to verify the certificate's fingerprint after the download!


After installing the two certificates, the next step is to run update-ca-certificate: This utility notices the two new certificates and adds them to the system-wide trust store (here are the details).

As far as I know, no part of my Linux box requires the CAcert certificates to be present in the trust store. The certificates are required, though, for creating a certificate chain file that is used by server processes to offer the entire certificate chain to clients.


Certificate chain file

On Debian, create a so-called certificate chain file in the following way:

cd /etc/ssl/certs
rm cacert.org.certchain
cat /usr/local/share/ca-certificates/cacert.org_class3.crt >>cacert.org.certchain
cat /usr/local/share/ca-certificates/cacert.org_root.crt >>cacert.org.certchain

Note: The certificates in the chain file should appear in the order of the certificate chain order, i.e. the root certificate that was used to sign the server certificate should appear first. I have not tested what happens if this is not the case, but I guess it will affect browsers.

Sample application:

  • The chain file is used, for instance, by the Apache web server (see Apache)
  • When a client requests the server certificate (which is signed by the class 3 CAcert.org root certificate), the server not only hands out the server certificate, but also provides the root certificates in the chain file
  • If the client trusts one of the CAcert.org root certificates, it will thereby automatically trust the server certificate, too


Questions And Answers

What is a digital signature? 
A digital signature is a hash value of the document encrypted by the private key of the signer (definition taken from the CAcert assurer handbook)


CAcert Assurer Challenge

Wiki page of the challenge

Step-by-step procedure (using Firefox 3):

  • Log in to CATS: https://cats.cacert.org/
  • the browser asks you to select the certificate that should be presented to the CATS server
  • you need to enter the certificate master password if this is the first time that you access the certificate after the browser has started
  • the browser asks once more for the certificate, possibly because it got another challenge from CATS; note that from now on the browser will repeatedly ask for the certificate; I am not going to mention this anymore, simply select the appropriate certificate each time
  • once CATS has accepted the certificate, you still have to login (click the "login" link)
  • if it's the first time that you try to login, CATS will tell you that you need to register
  • once you are logged in, you can browse around the site (it's all fairly straightforward) and do the test whenever you like

Notes about the test:

  • the test consists of 25 questions
  • most of the questions are multiple choice
  • at least 80% of the questions must be answered correctly to pass the test
  • the test may be retried an unlimited number of times (even after passing it); each time a different set of 25 questions is presented, apparently in random order

Passing the test:

  • once you pass the test, you are entitled to request a printed or PDF "certificate of achievement"
  • send an email to education@cacert.org, saying whether you want the printed or the PDF version
  • the email must be signed with the certificate used to do the test


Server certificates

The form to sign CSRs can be found here

https://www.cacert.org/account.php?id=10

Paste the CSR into the form, then sign it (by the class 3 root certificate, which is selected by default in the Web form) and thereby generate the certificate. The certificate can be copied and pasted into a certificate file. That file should be stored in

/etc/ssl/certs


Client certificates

This section describes how to create a client certificate on cacert.org and import it into a web browser (Firefox 3 in my case). Once you have created the certificate, it can be managed (renew, revoke, delete) on the cacert.org web site.

Certificate creation:

  • login on cacert.org, then select "client certificates" -> new
  • on the following screen, enter the following information
  • select the email address that the certificate should be for, then click the "add" checkbox next to that email address
  • sign by class 1 root certificate
  • select "include <my name>" (instead of "no name")
  • check "Enable certificate login with this certificate"
  • click "next", and on the next page select keysize = high grade
  • click "create certificate request" and enter the certificate master password to create the certificate

Certificate installation:

  • click "click here" to install the certificate
  • the private key is now generated by the browser and kept in the browser's key store
  • the private key is not on the CAcert server, nor anywhere else
  • the private key is protected by the certificate master password entered above

Certificate backup (Firefox 3):

  • open Preferences dialog
  • click the "Advanced" button
  • select "Encryption" tab
  • click button "View Certificates"
  • select "Your Certificates" tab
  • select the client certificate to backup, then click the "Backup..." button
  • enter a file name, then enter the certificate master password
  • enter the certificate backup password
  • the file saved is a "PKCS12" file and has extension ".p12"
  • the extension seems to be an official one: on Mac OS X, double clicking the file opens Keychain Access.app