ca.mdwn 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. If you'd like to know how Rel4tion's independent
  2. [[!wikipedia Certificate_Authority]] (CA) works and how to participate in its
  3. administration (if you talked to [[fr33domlover]] about it), you came to the
  4. right place.
  5. # Intro
  6. When SSL certificates were first created for Rel4tion, there was only the
  7. [OpenNIC] domain name `partager.null` and [[!wikipedia TinyCA]] was used for all
  8. the CA related tasks. All the files were stored directly on the server, because
  9. there was no other computer to use for managing the CA (and there still isn't).
  10. It felt easy, but it was clear that it's not the safest option.
  11. [OpenNIC]: http://opennicproject.org
  12. The instructions for TinyCA can still be generally useful, since they aren't
  13. specific to Partager/Rel4tion, and be found here: [[CA with TinyCA|tinyca]]. In
  14. fact, they are more verbose than the instructions below and explain things, so
  15. if you see too many unfamiliar words below, take a look.
  16. While the author believes that the key to security and privacy is simply not
  17. violating and not harming them (and that requires personal responsibility and
  18. respect between people, not complicated technology), in today's sad situation it
  19. seems that such technology is a good tool in the hands of those who wish to
  20. fight the global abuse by selfish companies and governments, or just protect
  21. themselves and others without depending on central forces. Therefore, SSL
  22. certificates are consistently provided for all services and subdomains where
  23. relevant. They aren't needed for networks with authentication built-in, such as
  24. [[!wikipedia I2P]], but they're used for
  25. "[[!wikipedia surface_web desc=clearnet]]" with both the OpenNIC domain
  26. `partager.null` and the [[!wikipedia ICANN]] domain `rel4tion.org`.
  27. Rel4tion's CA is a **community CA**. It means that anyone can participate and
  28. get their certificates signed, but only as long as everyone knows everyone. This
  29. requirement means that trust between members is maintained and the community
  30. remains small enough to sustain the trust. So joining means talking to people,
  31. getting to know them, becoming part of the community and later possibly also
  32. helping new participants. There is no need to check your goverment ID or phone
  33. number or any other private information, because trust here is real actual trust
  34. between friends, not the digital fake "trust" that large CAs provide by checking
  35. your paperwork. As an example, g00gle and faceb00k with their spyware still get
  36. as many certificates as they want, simply because they are real registered
  37. companies. See below for more info about the CA's management.
  38. # Technology
  39. The tools used for managing the Rel4tion CA are:
  40. - The [[!wikipedia GnuTLS]] software
  41. - The [[!wikipedia GnuPG]] software
  42. - The [Monkeysphere] software
  43. - The [[!wikipedia ext4]] filesystem, with encryption
  44. - A [[!wikipedia USB_flash_drive]]
  45. - A micro [[!wikipedia SD_card]]
  46. [Monkeysphere]: http://web.monkeysphere.info
  47. # Social Workflow
  48. [[TODO|/todo/open]] fill info here
  49. # Technical Workflow
  50. All the files related to the CA and the certificates, including copies of all
  51. the keys and all the certificates used on Rel4tion's server, are stored on two
  52. storage devices - the flash drive and the SD card mentioned above. The same
  53. content is stored on both. Using 2 devices provides more realiable backup than
  54. 1, because if something happens to one, all the files are available on the
  55. other. These are the only two locations - except for the certificates and keys
  56. required by Rel4tion's server, the files aren't stored on the server itself or
  57. on always-attached external storage.
  58. Both devices have encrypted ext4 partitions, on which the files are stored.
  59. When a change needs to be made, the USB flash drive is attached to the server
  60. and the commands are executed by the root user. If needed, certificates and keys
  61. are copied to the server, where the server daemons can find and use them.
  62. After the operation, the updated files are copied to the MicroSD card, so it
  63. contains an exact copy of what the flash drive contains. Finally, both are
  64. physically detached from the server.
  65. # Technical Conventions
  66. The content stored on these two devices is referred to as "the CA package" or
  67. just "the package".
  68. The filenames of certificates and keys have the form
  69. `<subdomain>.<domain>.<extension>`, where:
  70. - `subdomain` is optional, and if it's not there the period after it is not
  71. needed either. But it shouldn't be omitted unless it's the website certificate
  72. or the CA certificate etc., i.e. perhaps not tied to a subdomain. Examples:
  73. `www`, `doc`, `mail`, `ftp`, `git`.
  74. - `domain` is `rel4tion.org`, even if the certificate/key is used with
  75. additional domains such as `partager.null`.
  76. - `extension` is `key`, `crt` or `pem`. If the file contains just the private
  77. key, then it's `key`. If the file contains just the public certificate, then
  78. it's `crt`. If it contains both, then it's `pem`.
  79. The files of the CA itself may be an exception, since they aren't tied to any
  80. specific domain name.
  81. # Commands and Procedures
  82. When creating new files, always change their permissions to give only the root
  83. user, and nobody else, access to the files.
  84. ## CA Creation
  85. Install the required software:
  86. # apt-get install gnutls-bin gnupg
  87. Create an RSA private key for the CA:
  88. # certtool --generate-privkey --bits 4096 --outfile rel4tion-ca.key
  89. Use a long password. Write it on a piece of paper and store in a safe place.
  90. Create a template file for the CA certificate. The certificate will be created
  91. once, but any future updates will be much easier because you just need to update
  92. the template file and pass it to `certtool`. Initial template file
  93. `rel4tion-ca.template`:
  94. [[ca-template-initial]]
  95. Create a certificate for the CA:
  96. # certtool --generate-self-signed \
  97. --load-privkey rel4tion-ca.key \
  98. --template rel4tion-ca.template \
  99. --outfile rel4tion-ca.crt
  100. [[TODO|/todo/open]] what about the CRL? explain
  101. ## CA Deployment
  102. Using GnuPG, sign the CA certificate:
  103. $ gpg --armor \
  104. --comment "http://www.rel4tion.org/people/fr33domlover" \
  105. --detach-sign \
  106. rel4tion-ca.crt
  107. $ mv rel4tion-ca.crt.asc rel4tion-ca.crt.sig
  108. Put the CA certificate and the signature under the `cert` subdomain, from which
  109. they will be downloaded by clients:
  110. # mv rel4tion-ca.crt rel4tion-ca.crt.sig /var/www/cert
  111. And make sure they are readable by the `www-data` user.
  112. [[TODO|/todo/open]] link to and explain about writing/updating usage
  113. instructions for users. The current plan is to move them to [[/access/www]].
  114. ## Certificate Creation
  115. The commands below assume we're creating a certificate for the
  116. `mail.rel4tion.org` service.
  117. First of all, generating a signed certificate requires trust in order to have
  118. any value (compared to a self-signed certificate). The good old kind, trust
  119. between friends. So you should get to know the people here, and they should get
  120. to know you, and GPG keys should be exchanged and signed. In particular, make
  121. sure [[fr33domlover]] signs the GPG key you use for signing e-mail.
  122. Create an RSA private key for the service.
  123. # certtool --generate-privkey \
  124. --bits 4096 \
  125. --outfile mail.rel4tion.org.key
  126. Create a template file for the service certificate. If there's more than one
  127. domain name for which the certificate will be used (i.e. the Common Name field
  128. isn't enough), add the domains as [[!wikipedia "Subject Alternative Name"]]s
  129. (SANs). Actually, you can put anything in the CN and add domains only as SANs,
  130. even if you're adding just a single domain. Here's an example template file:
  131. [[service-template-example]]
  132. Also note that if a DNS name is used as a SAN, any subdomains will be matched
  133. as well. For example, a certificate for `xmpp.example.org` will also be valid
  134. for `muc.xmpp.example.org`.
  135. Create a certificate signing request (CSR):
  136. # certtool --generate-request \
  137. --load-privkey mail.rel4tion.org.key \
  138. --template mail.rel4tion.org.template \
  139. --outfile mail.rel4tion.org.csr
  140. Send the CSR and the template in a GPG-signed e-mail message. Here's how to sign
  141. the CSR as the CA, assuming our template file is `mail.rel4tion.org.template`:
  142. # certtool --generate-certificate \
  143. --load-request mail.rel4tion.org.csr \
  144. --load-ca-certificate rel4tion-ca.crt \
  145. --load-ca-privkey rel4tion-ca.key \
  146. --template mail.rel4tion.org.template \
  147. --outfile mail.rel4tion.org.crt
  148. If you sent the CSR and the template using signed e-mail, you should receive the
  149. signed certificate as signed e-mail too, and verify the signature.
  150. Examine the certificate and make sure the contents are all there as expected:
  151. # certtool --certificate-info --infile mail.rel4tion.org.crt
  152. [[TODO|/todo/open]] explain how to sign cert with monkeysphere
  153. [[TODO|/todo/open]] explain how to basically let server daemons access the cert
  154. and the key, `cat` PEM files, maybe link to some server config pages on the wiki
  155. if any exist, etc.
  156. ## Certificate Deployment
  157. [[TODO|/todo/open]]