Pages

04 May 2012

134. Introducing a CA certificate in debian

So, for some reason you've been issued a CA certificate. Now what?

I've presumed that you've somehow downloaded both the root certificate (cacert.crt) and your personal certificate (usercert.pem). You'll need both.


Openssl

Convert to .p12
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12

Verify
You can verify your issued certificate, e.g.
openssl verify  -CAfile ~/Downloads/cacert.crt ~/.globus/usercert.pem


Browsers:

Iceweasel/Firefox 
Go to Edit, Preferences, Advanced, Encryption: View certificates. Click import under Your Certificates and select your usercert.p12 (see above for conversion).  Got to servers, import cacert.crt.

Make sure that your cert authority shows up under the authority tab (otherwise try importing cacert.crt). Highlight the relevant authority, and click on edit trust: select the relevant fields of identification (e.g. website and/or email).


Chrome/Chromium
Click on the spanner icon, go to Settings, Under the bonnet, Manage Certificates and select Import under Your Certificates. Click on server, import the cacert.crt. Approve the certificate authority for the intended uses of the certificate. If you did it already in firefox it may have carried over.


Email:

Evolution
First go to Edit, Preferences, scroll down to Certificates and import your certificate and, under authorities, import the root certificate (cacert.crt).

Under the Authorities tab, select the issuing authority, click on edit and set the trust level (probably all)


Next, go to Edit, Preferences, Mail Accounts, Select an account and click on Edit. Select the Security tab


Repeat this for all accounts you want to use this certificate with.

Test it:


Send it. Receive it.

If all is correct, this is what greets you

If you don't add the certificate authority as being trusted -- and this will be the case for some of your recipients, this is what you see. Signature no good.


Thunderbird
Go to Edit, Account Settings... and under each account click on Security, then on View Certificates -- import your certificate and the issuing authority's certificate here, or you won't be able to Select the certificates under Digital Signing and Encryption.

Also, under View Certificates, highlight the certificate authority and select Edit Trust -- click on Edit CA trust, select website, mail etc., then select I do trust...
I presume that you do trust the authority or this is an exercise in futility.
You need to do this for ALL accounts that you intend to use, or you'll run into trust issues.

You can select/de-select signing when composing using the S/MIME menu.

If all goes well, users which also have the same certificate authority listed as trusted (probably not the case, but whatever) will see a sealed envelope (this message has been signed by pgp as well as S/MIME:

No comments:

Post a Comment