Monday, June 29, 2009

Creating a self-signed PKC212 certificate

These directions were taken from: http://marc.info/?l=apache-ssl&m=109047232527559&w=2

Create a new directory structure to house everything so that we can create our own CA (I used '/tmp/cert' for this):
  1. mkdir -p /tmp/cert/CA/newcerts
  2. touch /tmp/cert/CA/index.txt
  3. echo "00" > /tmp/cert/CA/serial
  4. mkdir -p /tmp/cert/1/2

(the "1/2" directory is arbitrary. The following process wants to write stuff to../../CA/* and thus the "1/2" fits my needs.)


Change to the appropriate directory:
  1. cd /tmp/cert/1/2

Create the CA key:
  1. openssl genrsa -des3 -out ca.key 1024

Create the CA certificate:
  1. openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate client (private) key:
  1. openssl genrsa -des3 -out client.key 1024

Generate client certificate request:
  1. openssl req -new -key client.key -out client.csr -days 1

Certify the client cert using our own CA:
  1. openssl ca -in client.csr -out client.crt -keyfile ca.key -cert ca.crt -days 1

Generate .p12 cert:
For CA:
  1. openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out ca.p12
For client:
  1. openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

Tuesday, June 23, 2009

PKI for Dummies

http://www.networkworld.com/news/64452_05-17-1999.html

Thursday, June 11, 2009

Digitally signing emails with CAC on Evolution

First, set it up with Thunderbird:

https://help.ubuntu.com/community/CommonAccessCard

Make Evolution use the stuff you imported with T-bird
  1. cd ~/.mozilla/firefox/*.default
  2. cp cert8.db key3.db secmod.db ~/.evolution/
('Edit/Preferences.../Certificates/Authorities tab').
Select each individual certificate (ie "CA-18")
  1. Click the 'Edit' button
  2. Select the boxes for both trust to ID sites
  3. Trust to ID email users.
  4. Do this for all the certificates under the U.S. Government heading
Select the appropriate certificate for signing and encrypting
  1. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP)
  2. Click the 'Edit' button
  3. Click the 'Security' tab
  4. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired.
To compose message:

  1. Pull down 'Security' menu
  2. Select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate.